General

  • Target

    JaffaCakes118_51d044e3e350c13f6d5fe0cf0d81689c

  • Size

    327KB

  • Sample

    250305-m9k72sw1bz

  • MD5

    51d044e3e350c13f6d5fe0cf0d81689c

  • SHA1

    cbee994c15d826572b00aef196dfc14c3a01633e

  • SHA256

    dd22ebdc9f9b86c994604fe3d84abd0e7b1889191c91521ce71d3ab73c3fb01b

  • SHA512

    0d29983cb2a7f1163e513bfdca8a73689895a6e2892542de7dbbdc528f91e3298804b7adca7e15bda61b5fa20dc143b0bd537586bec8aba568244401ad97cc86

  • SSDEEP

    6144:9tkXQh+fOZTb4rVfYn33rVRRF5GPXpkHg0Sme9k4GgzsdHXTvLRUQSOObAIAWgcK:TV0BZT/hWXgPgmVjGMBpN

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

graziaasus.no-ip.org:4011

Mutex

DC_MUTEX-9HBWRD0

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    UXADNe�f7C.q

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    winupdater

rc4.plain

Targets

    • Target

      JaffaCakes118_51d044e3e350c13f6d5fe0cf0d81689c

    • Size

      327KB

    • MD5

      51d044e3e350c13f6d5fe0cf0d81689c

    • SHA1

      cbee994c15d826572b00aef196dfc14c3a01633e

    • SHA256

      dd22ebdc9f9b86c994604fe3d84abd0e7b1889191c91521ce71d3ab73c3fb01b

    • SHA512

      0d29983cb2a7f1163e513bfdca8a73689895a6e2892542de7dbbdc528f91e3298804b7adca7e15bda61b5fa20dc143b0bd537586bec8aba568244401ad97cc86

    • SSDEEP

      6144:9tkXQh+fOZTb4rVfYn33rVRRF5GPXpkHg0Sme9k4GgzsdHXTvLRUQSOObAIAWgcK:TV0BZT/hWXgPgmVjGMBpN

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies security service

    • Windows security bypass

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks