General

  • Target

    60f90587a0fefe3c73b1ed43a91ea9ae_JaffaCakes118

  • Size

    716KB

  • Sample

    240721-w9bs2ssanp

  • MD5

    60f90587a0fefe3c73b1ed43a91ea9ae

  • SHA1

    f0617849b8036be8e762683d1dd69e5e49965164

  • SHA256

    60fa2b8949f00e9c194be4c1da24a4d7b188af1f8ebcf32cffd432a4c17d0820

  • SHA512

    73f7c8e96ac275cb7dd336d5db3871757dfd2da6c3b1e4f6fa5862797ae8a7d6789c39ddd79cab0b06038042bb2054c5c135591b6a197fd2913dc2860d19e5ae

  • SSDEEP

    12288:yPixQzUlORtk7w7nZDWtA+KGzurODpWh/xitnAmneaYu+LXMEJHCqZTaUuIMO4Dg:gii4bw7nsvyq4/xithWhX1JQTIODRI/

Malware Config

Extracted

Family

darkcomet

Botnet

TiGeRMaNiA

C2

fataka.no-ip.biz:82

Mutex

DC_MUTEX-WUS3N6Q

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    k7JgDHZDMKm8

  • install

    true

  • offline_keylogger

    true

  • password

    fataka

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      60f90587a0fefe3c73b1ed43a91ea9ae_JaffaCakes118

    • Size

      716KB

    • MD5

      60f90587a0fefe3c73b1ed43a91ea9ae

    • SHA1

      f0617849b8036be8e762683d1dd69e5e49965164

    • SHA256

      60fa2b8949f00e9c194be4c1da24a4d7b188af1f8ebcf32cffd432a4c17d0820

    • SHA512

      73f7c8e96ac275cb7dd336d5db3871757dfd2da6c3b1e4f6fa5862797ae8a7d6789c39ddd79cab0b06038042bb2054c5c135591b6a197fd2913dc2860d19e5ae

    • SSDEEP

      12288:yPixQzUlORtk7w7nZDWtA+KGzurODpWh/xitnAmneaYu+LXMEJHCqZTaUuIMO4Dg:gii4bw7nsvyq4/xithWhX1JQTIODRI/

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks