General

  • Target

    6687a6fc3bbcf2f1e35c3f13204f684c_JaffaCakes118

  • Size

    334KB

  • Sample

    240723-hjvatasepg

  • MD5

    6687a6fc3bbcf2f1e35c3f13204f684c

  • SHA1

    051f9f535954e1c3a362e7e924d8abc64171e5ed

  • SHA256

    bcaed589b132de24e3b17a5e5f01e67df6d6a648cad87cc0b40f00040eaf021f

  • SHA512

    b8e32b3a6a52573bf8160e7d8bc5c3ea872554a786be96f3983212fb69f3585722e79dcbd2f2bb1d4b45cc9da60a8380916643eec4ce570601085861a199a08c

  • SSDEEP

    6144:xMMWJH007FoGoyy3GSrsM/XII6aN2Z1sVd+SK6brDgNqpbn+UnCZdQnRa:gJH0NGoyYYB7Z10s+DgNqR+9enY

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

abod12345.no-ip.info:999

Mutex

DC_MUTEX-66BQSLQ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    PMybMb4KoUjA

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      6687a6fc3bbcf2f1e35c3f13204f684c_JaffaCakes118

    • Size

      334KB

    • MD5

      6687a6fc3bbcf2f1e35c3f13204f684c

    • SHA1

      051f9f535954e1c3a362e7e924d8abc64171e5ed

    • SHA256

      bcaed589b132de24e3b17a5e5f01e67df6d6a648cad87cc0b40f00040eaf021f

    • SHA512

      b8e32b3a6a52573bf8160e7d8bc5c3ea872554a786be96f3983212fb69f3585722e79dcbd2f2bb1d4b45cc9da60a8380916643eec4ce570601085861a199a08c

    • SSDEEP

      6144:xMMWJH007FoGoyy3GSrsM/XII6aN2Z1sVd+SK6brDgNqpbn+UnCZdQnRa:gJH0NGoyYYB7Z10s+DgNqR+9enY

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks