General

  • Target

    JaffaCakes118_432ae0531198837a134fa889a1c3bcb8

  • Size

    788KB

  • Sample

    250302-2zbm7aylt8

  • MD5

    432ae0531198837a134fa889a1c3bcb8

  • SHA1

    7b81aeaffb9bd9a215cf3ba3bfca97fa2bafa5f1

  • SHA256

    f1951549c83f98983302f70f41e96fcd273eba5d8db8607645c6b2eb48c2d85a

  • SHA512

    8fca174ed630c1a4b2150e07c7cab702914fe936b5842c643e4c252a7aa6d113b5e22ea5b2514a80650c32b36e119c95e860fcdc076e833da393318869025bf8

  • SSDEEP

    12288:dYKzom4yNIr/WPpzQ1N/4odZdTVFltkl5ZduCPvLVzDkztklpLmx+corp:+4oO6/apzgN/4o1xFXkllziSpVcOp

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

nydarion2.zapto.org:2525

Mutex

DC_MUTEX-HRS8C6U

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    1o-r##XwizVR

  • install

    true

  • offline_keylogger

    false

  • password

    boni

  • persistence

    true

  • reg_key

    winupdater

rc4.plain

Targets

    • Target

      JaffaCakes118_432ae0531198837a134fa889a1c3bcb8

    • Size

      788KB

    • MD5

      432ae0531198837a134fa889a1c3bcb8

    • SHA1

      7b81aeaffb9bd9a215cf3ba3bfca97fa2bafa5f1

    • SHA256

      f1951549c83f98983302f70f41e96fcd273eba5d8db8607645c6b2eb48c2d85a

    • SHA512

      8fca174ed630c1a4b2150e07c7cab702914fe936b5842c643e4c252a7aa6d113b5e22ea5b2514a80650c32b36e119c95e860fcdc076e833da393318869025bf8

    • SSDEEP

      12288:dYKzom4yNIr/WPpzQ1N/4odZdTVFltkl5ZduCPvLVzDkztklpLmx+corp:+4oO6/apzgN/4o1xFXkllziSpVcOp

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks