General

  • Target

    5e3f65de757aed30d79293cabbee77ea_JaffaCakes118

  • Size

    752KB

  • Sample

    240720-ab2qxsxbkp

  • MD5

    5e3f65de757aed30d79293cabbee77ea

  • SHA1

    0344555423cdbc998b2bd651dd92527242f0c76a

  • SHA256

    95c09d23727258c67872cc173d1cf11d9ef3dcae704f9fe6295fa956bbfba1dc

  • SHA512

    469f78024cfc5041f4ae7c5e082491449a683e2de15b67f6b45b5191e033f0a12ceefaf0b86575fb3d14b7df680ff4d37f773689234a5390eba48f82c2fc4c89

  • SSDEEP

    12288:vuLwF2ymMJMKiJ9d8B57bPFC18hoo2FB5cmdwnvFJKwu44R7ayiBDrmKr2zZwA:WLwFvmMRiJs57bNC1OoWmdevDv/ozZ7

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

darkcomet2013.no-ip.biz:1500

192.168.1.71:1500

Mutex

DC_MUTEX-H12UTCA

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    0QEazHxeDuoB

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      5e3f65de757aed30d79293cabbee77ea_JaffaCakes118

    • Size

      752KB

    • MD5

      5e3f65de757aed30d79293cabbee77ea

    • SHA1

      0344555423cdbc998b2bd651dd92527242f0c76a

    • SHA256

      95c09d23727258c67872cc173d1cf11d9ef3dcae704f9fe6295fa956bbfba1dc

    • SHA512

      469f78024cfc5041f4ae7c5e082491449a683e2de15b67f6b45b5191e033f0a12ceefaf0b86575fb3d14b7df680ff4d37f773689234a5390eba48f82c2fc4c89

    • SSDEEP

      12288:vuLwF2ymMJMKiJ9d8B57bPFC18hoo2FB5cmdwnvFJKwu44R7ayiBDrmKr2zZwA:WLwFvmMRiJs57bNC1OoWmdevDv/ozZ7

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks