General

  • Target

    JaffaCakes118_40ba961e9beb224042656f64b6eec80b

  • Size

    748KB

  • Sample

    250302-rg8vvswwhy

  • MD5

    40ba961e9beb224042656f64b6eec80b

  • SHA1

    fe65f5c419b28c5222fda70ecd1d3a2589023ee9

  • SHA256

    2856282de5368454c64543081f3b8b884fe7a892343bcdf660c6522fdd1b74ee

  • SHA512

    c53926b54783e9d00f17ca96c7a280d3b07561d4cf960dfca1a73da4d802c7c23455d19860107946fc318282ec712b4e063dd71f1b07ca09db6ace1502eac70c

  • SSDEEP

    12288:FNqrq0g98UFlIHAIydOYYkQ1jNgiYaLfC8yhu6xOd6ptjtmWMF:FNAqlKUFl6OlqSiYaLRyhCsmWM

Malware Config

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Extracted

Family

darkcomet

Botnet

Guest16

C2

darkcometlegacy.no-ip.org:1604

darkcometlegacy.no-ip.org:1605

Mutex

DC_MUTEX-M6A7Y0W

Attributes
  • gencode

    1JLFkqXTc2f8

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

rc4.plain

Targets

    • Target

      JaffaCakes118_40ba961e9beb224042656f64b6eec80b

    • Size

      748KB

    • MD5

      40ba961e9beb224042656f64b6eec80b

    • SHA1

      fe65f5c419b28c5222fda70ecd1d3a2589023ee9

    • SHA256

      2856282de5368454c64543081f3b8b884fe7a892343bcdf660c6522fdd1b74ee

    • SHA512

      c53926b54783e9d00f17ca96c7a280d3b07561d4cf960dfca1a73da4d802c7c23455d19860107946fc318282ec712b4e063dd71f1b07ca09db6ace1502eac70c

    • SSDEEP

      12288:FNqrq0g98UFlIHAIydOYYkQ1jNgiYaLfC8yhu6xOd6ptjtmWMF:FNAqlKUFl6OlqSiYaLRyhCsmWM

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks