General

  • Target

    JaffaCakes118_4f4fea624f1298a53b0dd0c377eada28

  • Size

    771KB

  • Sample

    250304-ykr5vazjx2

  • MD5

    4f4fea624f1298a53b0dd0c377eada28

  • SHA1

    5569b5bf3d541f69250d8dfed8a3131cfe1044b8

  • SHA256

    81c56019465efa69611aeede5c280ce90a1a0a2f3b0ed76daeabfe6b4c80fdd3

  • SHA512

    39983bb3e543141a8af047a4fcf0433053c075adeb60cba6f0819335b3726cff01f375aa040fd77cbbf0d86b6531965969d055edbc84424b41a2e6a6af492b7c

  • SSDEEP

    12288:Qc0xALOnoeXbkFMeUaDkAb69z3cnM6/tkmNKS5SIpgnimmi+QeGV73LY8u:x2nnLIRb69z3cJXlpCxeGNE8u

Malware Config

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Extracted

Family

darkcomet

Botnet

Guest16

C2

dolf12002.no-ip.info:1604

Mutex

DC_MUTEX-F54S21D

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    +r5.a2k6FVT6

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    winupdater

rc4.plain

Targets

    • Target

      JaffaCakes118_4f4fea624f1298a53b0dd0c377eada28

    • Size

      771KB

    • MD5

      4f4fea624f1298a53b0dd0c377eada28

    • SHA1

      5569b5bf3d541f69250d8dfed8a3131cfe1044b8

    • SHA256

      81c56019465efa69611aeede5c280ce90a1a0a2f3b0ed76daeabfe6b4c80fdd3

    • SHA512

      39983bb3e543141a8af047a4fcf0433053c075adeb60cba6f0819335b3726cff01f375aa040fd77cbbf0d86b6531965969d055edbc84424b41a2e6a6af492b7c

    • SSDEEP

      12288:Qc0xALOnoeXbkFMeUaDkAb69z3cnM6/tkmNKS5SIpgnimmi+QeGV73LY8u:x2nnLIRb69z3cJXlpCxeGNE8u

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks