General

  • Target

    JaffaCakes118_460996608099f0d68569c6706c2a42b3

  • Size

    242KB

  • Sample

    250303-kph6vas1f1

  • MD5

    460996608099f0d68569c6706c2a42b3

  • SHA1

    66e57121aa9b139e5cedaa204d4be1e707988462

  • SHA256

    2490fd24c3852ca7bea966c4ef092166b40da82c8a84a81ed3c635e2ffdfebeb

  • SHA512

    84b9f295283ee4afc735e1b85bff7af87adb06faf1c3b42e7004d17335ea206d03101d2090b351f91b3ea05c62ba79d957ffc58eeeac2ed38fb14bc17b881e8d

  • SSDEEP

    6144:p1iJcYtR1HsvpSHY7KoSrfTNBuzZZcA1wnOLrMM4z1:pkHcpSHY7VSrfT2/czO3Hs1

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

jules371.no-ip.org:53

Mutex

DC_MUTEX-QKX2X5G

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    j8T+Zb�NXG�p

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    winupdater

rc4.plain

Targets

    • Target

      JaffaCakes118_460996608099f0d68569c6706c2a42b3

    • Size

      242KB

    • MD5

      460996608099f0d68569c6706c2a42b3

    • SHA1

      66e57121aa9b139e5cedaa204d4be1e707988462

    • SHA256

      2490fd24c3852ca7bea966c4ef092166b40da82c8a84a81ed3c635e2ffdfebeb

    • SHA512

      84b9f295283ee4afc735e1b85bff7af87adb06faf1c3b42e7004d17335ea206d03101d2090b351f91b3ea05c62ba79d957ffc58eeeac2ed38fb14bc17b881e8d

    • SSDEEP

      6144:p1iJcYtR1HsvpSHY7KoSrfTNBuzZZcA1wnOLrMM4z1:pkHcpSHY7VSrfT2/czO3Hs1

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks