General

  • Target

    JaffaCakes118_4dac262f5b8c8fe03c2339afec76b0cc

  • Size

    302KB

  • Sample

    250304-qyfd7ssk13

  • MD5

    4dac262f5b8c8fe03c2339afec76b0cc

  • SHA1

    6b04f29af4cc1fa10975935b9b000e2b552f6e8e

  • SHA256

    360ae8775f8e3ac7a975676fc33585190c90ead599563b35b780cca560c6a665

  • SHA512

    ed257ab75b542d0f03f9118d170b1eb50e3c6a82e6287b33d58c0241d787bafdb5d59cd59b41f04a47f777d0f052e0e8b945916df8959e38128f968d48aa2c40

  • SSDEEP

    6144:Vz+ZIja7JiVzDfdUITRilQ37imhVltGNPl4/fRq4vTBxvVjk5CKOh:Vz+4KMVzDfrTRYQ3+WltCiHE4vTB3cwh

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

rocker340.no-ip.org:1337

Mutex

DC_MUTEX-TACZ1FF

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    �SfhT/hs8bG+

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    winupdater

rc4.plain

Targets

    • Target

      JaffaCakes118_4dac262f5b8c8fe03c2339afec76b0cc

    • Size

      302KB

    • MD5

      4dac262f5b8c8fe03c2339afec76b0cc

    • SHA1

      6b04f29af4cc1fa10975935b9b000e2b552f6e8e

    • SHA256

      360ae8775f8e3ac7a975676fc33585190c90ead599563b35b780cca560c6a665

    • SHA512

      ed257ab75b542d0f03f9118d170b1eb50e3c6a82e6287b33d58c0241d787bafdb5d59cd59b41f04a47f777d0f052e0e8b945916df8959e38128f968d48aa2c40

    • SSDEEP

      6144:Vz+ZIja7JiVzDfdUITRilQ37imhVltGNPl4/fRq4vTBxvVjk5CKOh:Vz+4KMVzDfrTRYQ3+WltCiHE4vTB3cwh

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Windows security bypass

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks