General

  • Target

    JaffaCakes118_886d2ab795acf2e409ada4ddad9afcd8

  • Size

    1.2MB

  • Sample

    250324-g78mnsvmz4

  • MD5

    886d2ab795acf2e409ada4ddad9afcd8

  • SHA1

    3048dd563a1cc0db500a83ddd7f22408f829ae9f

  • SHA256

    3cbc9b41401095ccc877ec866f387876a25d0ccf3ea3659aedce7c7ffa3c95ad

  • SHA512

    cd16000642d43a905ee11bc910191059d705d296722b67795ac29e372931d73766d0e6a573b27e6414cc58e916ec6bbed51022d354ee8772fd11a8d72b93d401

  • SSDEEP

    12288:6i+f6X7fq6LEXuaAPYchSmOyYJFUS61xbnnI5fCKPMVnGRsEV8W3Vb1Qz+XAkGpM:v+fw7SrnUv/T4a6MzBkoX9c9F

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

aimbot.no-ip.org:1604

127.0.0.1:1604

192.168.1.110:1604

Mutex

DC_MUTEX-CCKCWAR

Attributes
  • InstallPath

    java32\java.exe

  • gencode

    XSQRPAVCy1NH

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

rc4.plain

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Targets

    • Target

      JaffaCakes118_886d2ab795acf2e409ada4ddad9afcd8

    • Size

      1.2MB

    • MD5

      886d2ab795acf2e409ada4ddad9afcd8

    • SHA1

      3048dd563a1cc0db500a83ddd7f22408f829ae9f

    • SHA256

      3cbc9b41401095ccc877ec866f387876a25d0ccf3ea3659aedce7c7ffa3c95ad

    • SHA512

      cd16000642d43a905ee11bc910191059d705d296722b67795ac29e372931d73766d0e6a573b27e6414cc58e916ec6bbed51022d354ee8772fd11a8d72b93d401

    • SSDEEP

      12288:6i+f6X7fq6LEXuaAPYchSmOyYJFUS61xbnnI5fCKPMVnGRsEV8W3Vb1Qz+XAkGpM:v+fw7SrnUv/T4a6MzBkoX9c9F

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks