General

  • Target

    5f95af9cbc5a4d1705f7e9f17a7a34c4_JaffaCakes118

  • Size

    252KB

  • Sample

    240520-rwr6naef7y

  • MD5

    5f95af9cbc5a4d1705f7e9f17a7a34c4

  • SHA1

    93b0f593fd666c7e7bfcedc110a4f0654c8a0112

  • SHA256

    e44ab9dcf709ae1194e77082424c26b38b8d810aef0d3208c8f58c2743bbde43

  • SHA512

    c19dc5533f90cf596d7a47179e06a91cc04a5196075a9e2c84bfbb659258f5b0c92f174939283bf89cdb1b358bcf44c7e963301278d9409db8b6c2234ec8db84

  • SSDEEP

    6144:6cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37eSGDY:6cW7KEZlPzCy37XG

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

gem0t0gen10.ddns.net:1605

Mutex

DC_MUTEX-SWM65EH

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    nVQjaDV6ixEf

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      5f95af9cbc5a4d1705f7e9f17a7a34c4_JaffaCakes118

    • Size

      252KB

    • MD5

      5f95af9cbc5a4d1705f7e9f17a7a34c4

    • SHA1

      93b0f593fd666c7e7bfcedc110a4f0654c8a0112

    • SHA256

      e44ab9dcf709ae1194e77082424c26b38b8d810aef0d3208c8f58c2743bbde43

    • SHA512

      c19dc5533f90cf596d7a47179e06a91cc04a5196075a9e2c84bfbb659258f5b0c92f174939283bf89cdb1b358bcf44c7e963301278d9409db8b6c2234ec8db84

    • SSDEEP

      6144:6cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37eSGDY:6cW7KEZlPzCy37XG

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Modify Registry

7
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks