General

  • Target

    JaffaCakes118_84c7d8597e548caeb258298376c27519

  • Size

    663KB

  • Sample

    250321-z47v3szwes

  • MD5

    84c7d8597e548caeb258298376c27519

  • SHA1

    b5ccbdb78d80af0c91b8378e9c4a2ee4f779f91c

  • SHA256

    fdc4c6e08abd577ef436c0efbaeccfec398adf59bd049820110b8028b6129eac

  • SHA512

    54666ae9801bd95d6482788b8855f85b87aa7d1df00cfd3265407f010f980ad6612b4f7f3c9c444baf06831856431a66b50ccfb3b114d79bc9abdcd7e5e84022

  • SSDEEP

    12288:3pwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/Y:ZwAcu99lPzvxP+Bsz2XjWTRMQckkIXnA

Malware Config

Extracted

Family

darkcomet

Botnet

sbs

C2

127.0.0.1:21

Mutex

DC_MUTEX-D77XKZP

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    cyolL=+r#6rV

  • install

    true

  • offline_keylogger

    true

  • password

    never mind

  • persistence

    true

  • reg_key

    winupdater

rc4.plain

Targets

    • Target

      JaffaCakes118_84c7d8597e548caeb258298376c27519

    • Size

      663KB

    • MD5

      84c7d8597e548caeb258298376c27519

    • SHA1

      b5ccbdb78d80af0c91b8378e9c4a2ee4f779f91c

    • SHA256

      fdc4c6e08abd577ef436c0efbaeccfec398adf59bd049820110b8028b6129eac

    • SHA512

      54666ae9801bd95d6482788b8855f85b87aa7d1df00cfd3265407f010f980ad6612b4f7f3c9c444baf06831856431a66b50ccfb3b114d79bc9abdcd7e5e84022

    • SSDEEP

      12288:3pwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/Y:ZwAcu99lPzvxP+Bsz2XjWTRMQckkIXnA

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Windows security bypass

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks