General

  • Target

    JaffaCakes118_8f98f16ccc8f9c9c7a7553c44c8a0832

  • Size

    746KB

  • Sample

    250329-wjk9sstxgw

  • MD5

    8f98f16ccc8f9c9c7a7553c44c8a0832

  • SHA1

    70a32814dd58fd8ed0ad1eeb725757d2e0444c6b

  • SHA256

    d861afcb864c0f7366976c6eb1894c5dbb4be8001c1239de56aa8d3d30444451

  • SHA512

    54e9f62ede10cb1532942615fb12194bcc02743345595e93acfccc04c6177d52f490b2fadb2580df137ef23bbd3cae9cf275a06772014189723ba8dd50496b18

  • SSDEEP

    12288:C6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfh:nAmBpVKHu0Mu9Xo20VGLVP5

Malware Config

Extracted

Family

darkcomet

Botnet

Ynnah

C2

Ynnah.no-ip.info:3085

Mutex

DC_MUTEX-M6EK9E8

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    .V*$TgrzBQ3N

  • install

    true

  • offline_keylogger

    true

  • password

    8101993

  • persistence

    true

  • reg_key

    Windows_KB7

rc4.plain

Targets

    • Target

      JaffaCakes118_8f98f16ccc8f9c9c7a7553c44c8a0832

    • Size

      746KB

    • MD5

      8f98f16ccc8f9c9c7a7553c44c8a0832

    • SHA1

      70a32814dd58fd8ed0ad1eeb725757d2e0444c6b

    • SHA256

      d861afcb864c0f7366976c6eb1894c5dbb4be8001c1239de56aa8d3d30444451

    • SHA512

      54e9f62ede10cb1532942615fb12194bcc02743345595e93acfccc04c6177d52f490b2fadb2580df137ef23bbd3cae9cf275a06772014189723ba8dd50496b18

    • SSDEEP

      12288:C6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfh:nAmBpVKHu0Mu9Xo20VGLVP5

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks