General

  • Target

    27f2bffd80e144f0b738ff6659c3b8c3_JaffaCakes118

  • Size

    252KB

  • Sample

    240509-ddxrjaef4v

  • MD5

    27f2bffd80e144f0b738ff6659c3b8c3

  • SHA1

    388aff586e3ec2c5c862596ec16abdfdbdfcb98f

  • SHA256

    4c9e11389a51bbb1538c3c57a469be9256812e9be5ced4f06ba6c100668ddde1

  • SHA512

    a57f5163ef3d35d000b0f9d5caf84a65ebce2d3cdfe61468fb13d976541caab106c9fab32392c4826e5bedd87ae29c9a0eb53e4281bec0f0d0e856b6660be1c2

  • SSDEEP

    6144:DcNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PHQU:DcWkbgTYWnYnt/IDYhPJ

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-15PZK2D

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    WXuth936C97A

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      27f2bffd80e144f0b738ff6659c3b8c3_JaffaCakes118

    • Size

      252KB

    • MD5

      27f2bffd80e144f0b738ff6659c3b8c3

    • SHA1

      388aff586e3ec2c5c862596ec16abdfdbdfcb98f

    • SHA256

      4c9e11389a51bbb1538c3c57a469be9256812e9be5ced4f06ba6c100668ddde1

    • SHA512

      a57f5163ef3d35d000b0f9d5caf84a65ebce2d3cdfe61468fb13d976541caab106c9fab32392c4826e5bedd87ae29c9a0eb53e4281bec0f0d0e856b6660be1c2

    • SSDEEP

      6144:DcNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PHQU:DcWkbgTYWnYnt/IDYhPJ

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks