General

  • Target

    65614334883de1aa7f16acfb7f1597fb_JaffaCakes118

  • Size

    412KB

  • Sample

    240723-ahdbxaxarm

  • MD5

    65614334883de1aa7f16acfb7f1597fb

  • SHA1

    9d9eaa944d83a8dfbebfd3c9643312a7e9bcf6a3

  • SHA256

    83e2603fc77943b8d9475d8b70d328222f590830e813d52e0061fe88139dae2e

  • SHA512

    5b08bf8ee060240490d21b73105cf7f57c8a8fdc7b97eaf6789083f5176baf1825e4f1cc3186807895cc0cfe7bc83edf50f46f7042be1ffa8b087bc4dbd16802

  • SSDEEP

    6144:6hCLvvpHBgBM7BkqkdO2ZHE+6V5/BA+Mr6sXXXDXXXr7B:6gVHB77aq0ZLYpA+0

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

217.66.227.219:1604

Mutex

DC_MUTEX-QYGXHCW

Attributes
  • InstallPath

    MSDCSC\msdcoc.exe

  • gencode

    ddYin0vduQaq

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    Microopdate

Targets

    • Target

      65614334883de1aa7f16acfb7f1597fb_JaffaCakes118

    • Size

      412KB

    • MD5

      65614334883de1aa7f16acfb7f1597fb

    • SHA1

      9d9eaa944d83a8dfbebfd3c9643312a7e9bcf6a3

    • SHA256

      83e2603fc77943b8d9475d8b70d328222f590830e813d52e0061fe88139dae2e

    • SHA512

      5b08bf8ee060240490d21b73105cf7f57c8a8fdc7b97eaf6789083f5176baf1825e4f1cc3186807895cc0cfe7bc83edf50f46f7042be1ffa8b087bc4dbd16802

    • SSDEEP

      6144:6hCLvvpHBgBM7BkqkdO2ZHE+6V5/BA+Mr6sXXXDXXXr7B:6gVHB77aq0ZLYpA+0

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks