General

  • Target

    6969b660100552c0d19c876991b7bf27_JaffaCakes118

  • Size

    1.8MB

  • Sample

    240723-3lrmxsvfll

  • MD5

    6969b660100552c0d19c876991b7bf27

  • SHA1

    8eee8a44cc1d1b6e35017be01770a6fb5b49eb5d

  • SHA256

    bf6010249f73cd7507fe3b782c4dc6e954ae934a1028c71c887c7dbe10010387

  • SHA512

    ab4d96b6d126dfeafc16cd24f0a0554b3908163e65788e58e35242e31f7a2c65b81355b99ed8fba07692661a6ce408ca88f37472c83891e8b1a73e5113de940f

  • SSDEEP

    12288:AG/b778/+OiZsSOIk+Yrs8V+p7kvV5cvFfGMCwMSXgk9XJIC21YLuGd3GjCnjtdG:z/StqvJXJvxM4pLNk94yTlT6OYc7h7Z

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

darkcomet2013.no-ip.biz:1500

192.168.1.71:1500

Mutex

DC_MUTEX-HEDDRVL

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    PcNHhxPkunCb

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      6969b660100552c0d19c876991b7bf27_JaffaCakes118

    • Size

      1.8MB

    • MD5

      6969b660100552c0d19c876991b7bf27

    • SHA1

      8eee8a44cc1d1b6e35017be01770a6fb5b49eb5d

    • SHA256

      bf6010249f73cd7507fe3b782c4dc6e954ae934a1028c71c887c7dbe10010387

    • SHA512

      ab4d96b6d126dfeafc16cd24f0a0554b3908163e65788e58e35242e31f7a2c65b81355b99ed8fba07692661a6ce408ca88f37472c83891e8b1a73e5113de940f

    • SSDEEP

      12288:AG/b778/+OiZsSOIk+Yrs8V+p7kvV5cvFfGMCwMSXgk9XJIC21YLuGd3GjCnjtdG:z/StqvJXJvxM4pLNk94yTlT6OYc7h7Z

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks