General

  • Target

    5fc6bfecce8359e30effa415e3be01c0_JaffaCakes118

  • Size

    992KB

  • Sample

    240720-khgdnsvamr

  • MD5

    5fc6bfecce8359e30effa415e3be01c0

  • SHA1

    82353d75fab0aaa45a4856cbd817e2dda310154a

  • SHA256

    0befefad1d9608508fd1d8a6b161cc92de76b12fe1a8134128814364b96803c1

  • SHA512

    67a884a9a35056652e6067d594e78ef98fffa5d033e56808fd10055fc33e7ddde6bbaf5d1fb36fe32b68028d53f715065e82817bbdfe1037757d8dbaf5182148

  • SSDEEP

    24576:QLcg23kW4yWzBq1UY1gMsijcusHdyR2hAsS+XS105wYwj:uymLtz9BSVj

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

ca-nexoneu001.sytes.net:1604

Mutex

DC_MUTEX-0TYYB4F

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    f2dW9SpjR1RJ

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      5fc6bfecce8359e30effa415e3be01c0_JaffaCakes118

    • Size

      992KB

    • MD5

      5fc6bfecce8359e30effa415e3be01c0

    • SHA1

      82353d75fab0aaa45a4856cbd817e2dda310154a

    • SHA256

      0befefad1d9608508fd1d8a6b161cc92de76b12fe1a8134128814364b96803c1

    • SHA512

      67a884a9a35056652e6067d594e78ef98fffa5d033e56808fd10055fc33e7ddde6bbaf5d1fb36fe32b68028d53f715065e82817bbdfe1037757d8dbaf5182148

    • SSDEEP

      24576:QLcg23kW4yWzBq1UY1gMsijcusHdyR2hAsS+XS105wYwj:uymLtz9BSVj

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks