General

  • Target

    62cf3699e81685d64d1161b2017e8a9c_JaffaCakes118

  • Size

    650KB

  • Sample

    240722-l7s97s1hla

  • MD5

    62cf3699e81685d64d1161b2017e8a9c

  • SHA1

    8c03eed965875c97c86cb0bb8ebabf3cfaf7d1b5

  • SHA256

    e77e50695ccdf9758e1586dc2bb07d8b569f23d4284dffb748e6eb41fb6c91fc

  • SHA512

    edfd8a3434ec3050741082fc9048e16e1103ec48844f500fda60f765ad120af441d19955759327ca7497281d944cf0b7b9542c32df3f58b59402e2f5469b99f3

  • SSDEEP

    12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+0:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+G1

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

75.166.144.239:1604

Mutex

DC_MUTEX-AU01VTD

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    UiNgKsPRGk1V

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      62cf3699e81685d64d1161b2017e8a9c_JaffaCakes118

    • Size

      650KB

    • MD5

      62cf3699e81685d64d1161b2017e8a9c

    • SHA1

      8c03eed965875c97c86cb0bb8ebabf3cfaf7d1b5

    • SHA256

      e77e50695ccdf9758e1586dc2bb07d8b569f23d4284dffb748e6eb41fb6c91fc

    • SHA512

      edfd8a3434ec3050741082fc9048e16e1103ec48844f500fda60f765ad120af441d19955759327ca7497281d944cf0b7b9542c32df3f58b59402e2f5469b99f3

    • SSDEEP

      12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+0:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+G1

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks