General

  • Target

    JaffaCakes118_8952a0354c933abffdddc34dd80daf8d

  • Size

    1.1MB

  • Sample

    250326-1l7m2attcy

  • MD5

    8952a0354c933abffdddc34dd80daf8d

  • SHA1

    0cf34ff404e300827309a527482f044107c40916

  • SHA256

    34810247c2f70e3b67b6f489e302019f4627f7121224699d9d706a381f35a901

  • SHA512

    e358f80d6f32a59c7731954185ca0c34403c7be2510e090235a73358e3da123c9813163ffb23edea10eb4eb770f10312af66e38ea7b62c9c656c9171667ce49c

  • SSDEEP

    24576:XLidt4+maLUXUvWCRR9418CAK9+LPt57FF583x:B+PLUkTE18BKoLt5mx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

atteonpro.no-ip.biz:1604

atteonpro.no-ip.biz:100

atteonpro.no-ip.biz:666

Mutex

DC_MUTEX-A6M0LN3

Attributes
  • InstallPath

    MicrosoftXFI\MicrosoftXFI.exe

  • gencode

    wbmfHQTtN7#U

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicrosoftXFI

rc4.plain

Targets

    • Target

      JaffaCakes118_8952a0354c933abffdddc34dd80daf8d

    • Size

      1.1MB

    • MD5

      8952a0354c933abffdddc34dd80daf8d

    • SHA1

      0cf34ff404e300827309a527482f044107c40916

    • SHA256

      34810247c2f70e3b67b6f489e302019f4627f7121224699d9d706a381f35a901

    • SHA512

      e358f80d6f32a59c7731954185ca0c34403c7be2510e090235a73358e3da123c9813163ffb23edea10eb4eb770f10312af66e38ea7b62c9c656c9171667ce49c

    • SSDEEP

      24576:XLidt4+maLUXUvWCRR9418CAK9+LPt57FF583x:B+PLUkTE18BKoLt5mx

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks