General

  • Target

    JaffaCakes118_1c4cf79556b2e7277ebbac5d299e2ef7

  • Size

    1.0MB

  • Sample

    250222-z2p79azkgq

  • MD5

    1c4cf79556b2e7277ebbac5d299e2ef7

  • SHA1

    4c6d7d10fe9f0742fa8f33a283b65b12e43a353a

  • SHA256

    382cb6ee7c42d0792d49f6c5b11b65ab7c88b394ede77f1f19bb70a755e78032

  • SHA512

    82cda393aee536f75f1c5e9865edf015157f733a747a07b11c5af38e19d35b893d68113726e68354f075e1bc8f0c59a4ad8ad10a775a201360a2de1da313f72f

  • SSDEEP

    12288:T6J0CUopUcISxxFQAY7WFRhpxkyRkszl30NXz4dEajUvHgM0jER364q2yGaHV6Mr:TY0SVzRASNMsfVn/n3nCZhrG

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

waynezor.no-ip.info:101

Mutex

DC_MUTEX-ASPL96Y

Attributes
  • InstallPath

    Program Files\Windows\Update.exe

  • gencode

    sl/c%xP#Q-j�

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    winupdater

rc4.plain

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Targets

    • Target

      JaffaCakes118_1c4cf79556b2e7277ebbac5d299e2ef7

    • Size

      1.0MB

    • MD5

      1c4cf79556b2e7277ebbac5d299e2ef7

    • SHA1

      4c6d7d10fe9f0742fa8f33a283b65b12e43a353a

    • SHA256

      382cb6ee7c42d0792d49f6c5b11b65ab7c88b394ede77f1f19bb70a755e78032

    • SHA512

      82cda393aee536f75f1c5e9865edf015157f733a747a07b11c5af38e19d35b893d68113726e68354f075e1bc8f0c59a4ad8ad10a775a201360a2de1da313f72f

    • SSDEEP

      12288:T6J0CUopUcISxxFQAY7WFRhpxkyRkszl30NXz4dEajUvHgM0jER364q2yGaHV6Mr:TY0SVzRASNMsfVn/n3nCZhrG

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks