General

  • Target

    6188391cd463ef04f369c7a351948b40_JaffaCakes118

  • Size

    694KB

  • Sample

    240721-1pbprswenb

  • MD5

    6188391cd463ef04f369c7a351948b40

  • SHA1

    4df00328d166925e05881b8902a49ec5cd0fc6fe

  • SHA256

    11cce176d94e186eec591670f617ee7585425a62d3aca432a85f38164e4926e7

  • SHA512

    02768b3d0c13b18205d51da8132495fc5fb7d7bf5b93b8788ba62adfceaf9f57a72f30ec468dad9ec723987f57ffb9d097589e419ad232c6d82a618919cac426

  • SSDEEP

    12288:TY9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hS:TMZ1xuVVjfFoynPaVBUR8f+kN10EBs

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

C2

poltair.no-ip.org:300

Mutex

DC_MUTEX-K0CLLBR

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    L63nhUT1c5rp

  • install

    true

  • offline_keylogger

    true

  • password

    123

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      6188391cd463ef04f369c7a351948b40_JaffaCakes118

    • Size

      694KB

    • MD5

      6188391cd463ef04f369c7a351948b40

    • SHA1

      4df00328d166925e05881b8902a49ec5cd0fc6fe

    • SHA256

      11cce176d94e186eec591670f617ee7585425a62d3aca432a85f38164e4926e7

    • SHA512

      02768b3d0c13b18205d51da8132495fc5fb7d7bf5b93b8788ba62adfceaf9f57a72f30ec468dad9ec723987f57ffb9d097589e419ad232c6d82a618919cac426

    • SSDEEP

      12288:TY9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hS:TMZ1xuVVjfFoynPaVBUR8f+kN10EBs

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks