General

  • Target

    JaffaCakes118_535fc5889c6529c6b7305d676706e9f7

  • Size

    800KB

  • Sample

    250305-ygsxzaxsat

  • MD5

    535fc5889c6529c6b7305d676706e9f7

  • SHA1

    c4973e1bff0df18a86ff2617dcb0bea35dce2d0d

  • SHA256

    255bad38b0e13e2b1773bb69c3cbbbce47ef50207e13dab0ad31147de6bee5d3

  • SHA512

    2e9981d78cfa6fe5858d42ac7f5ccfbede50f68c5a803a4c8e386f3987360fabd3d2dd016b5beb5acdc28a6ff66387389f839e347ea05159a4a5fa89ea13b669

  • SSDEEP

    12288:OaAchpWsuVtDnBsBDJIcynnC90levX4CuYf2D82T3s99+VHuNKskG:PAEE3uBDhynCylQgi63O9+VuNTt

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

AbduLrhmaN-Hacker

Attributes
  • InstallPath

    System\?????????.exe

  • gencode

    R*f2HnWPlQUA

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    winupdater

rc4.plain

Targets

    • Target

      JaffaCakes118_535fc5889c6529c6b7305d676706e9f7

    • Size

      800KB

    • MD5

      535fc5889c6529c6b7305d676706e9f7

    • SHA1

      c4973e1bff0df18a86ff2617dcb0bea35dce2d0d

    • SHA256

      255bad38b0e13e2b1773bb69c3cbbbce47ef50207e13dab0ad31147de6bee5d3

    • SHA512

      2e9981d78cfa6fe5858d42ac7f5ccfbede50f68c5a803a4c8e386f3987360fabd3d2dd016b5beb5acdc28a6ff66387389f839e347ea05159a4a5fa89ea13b669

    • SSDEEP

      12288:OaAchpWsuVtDnBsBDJIcynnC90levX4CuYf2D82T3s99+VHuNKskG:PAEE3uBDhynCylQgi63O9+VuNTt

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks