General

  • Target

    JaffaCakes118_21b1ae9a5d823996ba865280b25de379

  • Size

    1.2MB

  • Sample

    250225-abe7xswmw2

  • MD5

    21b1ae9a5d823996ba865280b25de379

  • SHA1

    6a989c860cfca43b389647e2afe16cf8487b0e15

  • SHA256

    345a6f15de47f70f150adc2e076feded9c8cf6ac69d479e756d8d484ac212a15

  • SHA512

    79533ce677b8d637e004b2c0bd1c1241a6c6e3e9a5973b0fd030c7bdd95232b3259943a44f83e2a2e230def4d73b8fb8c177149aff3809c9c7f2d9569f774559

  • SSDEEP

    24576:LKrjnxH3/n3N7cpCiBXxjMrO7vVXfMCxwRyWRlJChduj8yNfG:L0jxH3P3N7cNBXxjqO7RtiRyoS08yNfG

Malware Config

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Extracted

Family

darkcomet

Botnet

Guest16

C2

kooat.no-ip.biz:10000

Mutex

DC_MUTEX-798GFF5

Attributes
  • gencode

    6BY9j91vo2kr

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

rc4.plain

Targets

    • Target

      JaffaCakes118_21b1ae9a5d823996ba865280b25de379

    • Size

      1.2MB

    • MD5

      21b1ae9a5d823996ba865280b25de379

    • SHA1

      6a989c860cfca43b389647e2afe16cf8487b0e15

    • SHA256

      345a6f15de47f70f150adc2e076feded9c8cf6ac69d479e756d8d484ac212a15

    • SHA512

      79533ce677b8d637e004b2c0bd1c1241a6c6e3e9a5973b0fd030c7bdd95232b3259943a44f83e2a2e230def4d73b8fb8c177149aff3809c9c7f2d9569f774559

    • SSDEEP

      24576:LKrjnxH3/n3N7cpCiBXxjMrO7vVXfMCxwRyWRlJChduj8yNfG:L0jxH3P3N7cNBXxjqO7RtiRyoS08yNfG

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies firewall policy service

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks