General

  • Target

    5f11e6408330e2e7d231bf43cbc7a429_JaffaCakes118

  • Size

    692KB

  • Sample

    240720-fc85aawhnp

  • MD5

    5f11e6408330e2e7d231bf43cbc7a429

  • SHA1

    2dcd0d2a7a7a9ce3a2525d264a709be9c7568cde

  • SHA256

    0dcbf29380319f53fdbabe4e3aa5320d6383b42538ce0b3e513d56f315c27e7e

  • SHA512

    fa85c5ce4ee5c1596b322f03c4c221d98e994c00a7f7f2bd9f2de600343bc5a397f99be74b47decdbde9240304c2c609934eb363dbbfc4cdfecf3b068de0f8bb

  • SSDEEP

    12288:oZsL3lwMkQOU3O+bqgajPV/h7XDdghqA3VNUx6BevWGKwfwzBjhjNwuNfuAiz:r1oQFbqgGPpBicAlNCfJfwHx5duv

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

mondas.dnsd.info:1604

Mutex

DC_MUTEX-PTCNRC0

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    spUbZCv7EBeL

  • install

    true

  • offline_keylogger

    false

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      5f11e6408330e2e7d231bf43cbc7a429_JaffaCakes118

    • Size

      692KB

    • MD5

      5f11e6408330e2e7d231bf43cbc7a429

    • SHA1

      2dcd0d2a7a7a9ce3a2525d264a709be9c7568cde

    • SHA256

      0dcbf29380319f53fdbabe4e3aa5320d6383b42538ce0b3e513d56f315c27e7e

    • SHA512

      fa85c5ce4ee5c1596b322f03c4c221d98e994c00a7f7f2bd9f2de600343bc5a397f99be74b47decdbde9240304c2c609934eb363dbbfc4cdfecf3b068de0f8bb

    • SSDEEP

      12288:oZsL3lwMkQOU3O+bqgajPV/h7XDdghqA3VNUx6BevWGKwfwzBjhjNwuNfuAiz:r1oQFbqgGPpBicAlNCfJfwHx5duv

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks