General

  • Target

    JaffaCakes118_19daacec9168d5da2bbb8e19a3e9e212

  • Size

    382KB

  • Sample

    250222-qchbnswpfs

  • MD5

    19daacec9168d5da2bbb8e19a3e9e212

  • SHA1

    35a81638d94d7b01de0d0d688fbeb99eace7cdf8

  • SHA256

    509af80d81f94c96d5122e8786164565f1adae69d076e3aa7ba7fca1d190bfb2

  • SHA512

    542d5fafe8b7da48c288d71ef3249e8f73de2733ca5be67690b8febe7788118bd12f528c86df2eb8b72db51f40396becee86d780f2173440d3627f67e200bdf9

  • SSDEEP

    6144:S3P7OZg0Du89DiFoOEWDJu/jMMc51KXBmIzFFTpe53RTCTbunzm/Xw:cP7OC29WrEWD+wMc5iBmcRpeHCTsaA

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

fangsnake3.zapto.org:2000

Mutex

DC_MUTEX-F54S21D

Attributes
  • gencode

    4CSphW54z�K1

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Targets

    • Target

      JaffaCakes118_19daacec9168d5da2bbb8e19a3e9e212

    • Size

      382KB

    • MD5

      19daacec9168d5da2bbb8e19a3e9e212

    • SHA1

      35a81638d94d7b01de0d0d688fbeb99eace7cdf8

    • SHA256

      509af80d81f94c96d5122e8786164565f1adae69d076e3aa7ba7fca1d190bfb2

    • SHA512

      542d5fafe8b7da48c288d71ef3249e8f73de2733ca5be67690b8febe7788118bd12f528c86df2eb8b72db51f40396becee86d780f2173440d3627f67e200bdf9

    • SSDEEP

      6144:S3P7OZg0Du89DiFoOEWDJu/jMMc51KXBmIzFFTpe53RTCTbunzm/Xw:cP7OC29WrEWD+wMc5iBmcRpeHCTsaA

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies firewall policy service

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks