General

  • Target

    JaffaCakes118_19b03adb5e0305178b7745ecf8a7eb10

  • Size

    1.1MB

  • Sample

    250222-psgjmswmaw

  • MD5

    19b03adb5e0305178b7745ecf8a7eb10

  • SHA1

    adaf0ce5cf66ac7823c9035d15832699b07edfcf

  • SHA256

    03b9416c2165a5905aca9162b23f7dde33fa9bd783415a21d2d188bc668a0f91

  • SHA512

    2a3f6b7acdc61418bd82bf4f833c8e08b57ba365df2299fc888e0e54fc16da4bc2fb70e58a3ce45bd44b1205b890a3551b8eb8c31bafd138cf743fbd4f3b90b5

  • SSDEEP

    24576:6L2RnXQrVLoL74t86NR1amWvwo6JF4esx+O:rn374t864Z6JF4ec

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

192.168.1.4:1604

chavo2.zapto.org:1604

Mutex

DC_MUTEX-F54S21D

Attributes
  • gencode

    9JqNl�rGboGy

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

rc4.plain

Targets

    • Target

      JaffaCakes118_19b03adb5e0305178b7745ecf8a7eb10

    • Size

      1.1MB

    • MD5

      19b03adb5e0305178b7745ecf8a7eb10

    • SHA1

      adaf0ce5cf66ac7823c9035d15832699b07edfcf

    • SHA256

      03b9416c2165a5905aca9162b23f7dde33fa9bd783415a21d2d188bc668a0f91

    • SHA512

      2a3f6b7acdc61418bd82bf4f833c8e08b57ba365df2299fc888e0e54fc16da4bc2fb70e58a3ce45bd44b1205b890a3551b8eb8c31bafd138cf743fbd4f3b90b5

    • SSDEEP

      24576:6L2RnXQrVLoL74t86NR1amWvwo6JF4esx+O:rn374t864Z6JF4ec

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks