General

  • Target

    5e9889d82395491191c9201a5712d5da_JaffaCakes118

  • Size

    353KB

  • Sample

    240720-cdg6ea1fkq

  • MD5

    5e9889d82395491191c9201a5712d5da

  • SHA1

    85391ba3f544efe565db431f422c8140971f98b7

  • SHA256

    3396b831071c92d1c62d1aa112f5203fcdda4036ae22c757ee515fae939d5581

  • SHA512

    fc9848c923a191e0f93146b873b5928467ef1749af6ea64d38a5e61a1d14b0a7469b0207e79387f580a33712d0a7f6b0e4695e8702dfa2907e3de0ef74fa701c

  • SSDEEP

    6144:ewT5O4ITfbUCkRm4I7uZdMes/2cDl7w8RHZupFG0R3C2JWLLDMdWnpQZh9h4:eP4KfCRm47i/2Yku5upF1R3nOMd0QZhw

Malware Config

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

Extracted

Family

darkcomet

Botnet

Guest16

C2

colinsli.zapto.org:1604

Mutex

DC_MUTEX-ZQY73ZA

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    uEqif5qpggxF

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      5e9889d82395491191c9201a5712d5da_JaffaCakes118

    • Size

      353KB

    • MD5

      5e9889d82395491191c9201a5712d5da

    • SHA1

      85391ba3f544efe565db431f422c8140971f98b7

    • SHA256

      3396b831071c92d1c62d1aa112f5203fcdda4036ae22c757ee515fae939d5581

    • SHA512

      fc9848c923a191e0f93146b873b5928467ef1749af6ea64d38a5e61a1d14b0a7469b0207e79387f580a33712d0a7f6b0e4695e8702dfa2907e3de0ef74fa701c

    • SSDEEP

      6144:ewT5O4ITfbUCkRm4I7uZdMes/2cDl7w8RHZupFG0R3C2JWLLDMdWnpQZh9h4:eP4KfCRm47i/2Yku5upF1R3nOMd0QZhw

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks