General

  • Target

    136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118

  • Size

    1.9MB

  • Sample

    240626-zseedstcka

  • MD5

    136d9001b11fba77ae168bf0f09a7ee5

  • SHA1

    b628cc11be2ecb992163a3ab335c0a4e31d2d573

  • SHA256

    f997497b76f240159e28d44b943a40e0ea27b6c4d7b2cdb6dc769d65bbb92544

  • SHA512

    80ba416964e3402a280b4b9dbe9e4abbfab49f029451dd4f5c1ec80a8cad8cae1438d366436168b6912492fda0108cf28d1ca16fd80d46029aef0c97a47008e3

  • SSDEEP

    24576:GE0fHw0TS/Tlr+robnykC36QNOhh0/svqus32tt4Onwp8aJRdoUepoLJlPK5Hyep:GE0fQ0TSLV+LSaOI/4FwpRpyHYm+2ah

Malware Config

Extracted

Family

darkcomet

Botnet

Finally

C2

tast.no-ip.biz:82

Mutex

DC_MUTEX-98S0K24

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    j6R1c8a9GWJZ

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118

    • Size

      1.9MB

    • MD5

      136d9001b11fba77ae168bf0f09a7ee5

    • SHA1

      b628cc11be2ecb992163a3ab335c0a4e31d2d573

    • SHA256

      f997497b76f240159e28d44b943a40e0ea27b6c4d7b2cdb6dc769d65bbb92544

    • SHA512

      80ba416964e3402a280b4b9dbe9e4abbfab49f029451dd4f5c1ec80a8cad8cae1438d366436168b6912492fda0108cf28d1ca16fd80d46029aef0c97a47008e3

    • SSDEEP

      24576:GE0fHw0TS/Tlr+robnykC36QNOhh0/svqus32tt4Onwp8aJRdoUepoLJlPK5Hyep:GE0fQ0TSLV+LSaOI/4FwpRpyHYm+2ah

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks