General

  • Target

    67851006cff67b0bf2ed41d716d656f8_JaffaCakes118

  • Size

    701KB

  • Sample

    240723-n743tavhrq

  • MD5

    67851006cff67b0bf2ed41d716d656f8

  • SHA1

    6807f3624be4a34fd66e35339d47c965fbc24749

  • SHA256

    5fb5bc37f828d36358f72f86b5699dfb82add3f0f50b9eac837f813362d23046

  • SHA512

    34e5785989e2a733b8a935dedaf44b37253457c43d23817ca58d917b5c3ef99a770081c37317738e502afcf6b28a9701cced3aa35117c38e1f66874d2ef50ba0

  • SSDEEP

    12288:IM0GBAUfKBV4dl4yzTNu+jAGAsH1X/Vkb8rIRCTQoMnYFOKQ29jpH6n8/b6p1d:Z9vE4dZQ+TAI1XibSIRUMnd29danXv

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:81

Mutex

DC_MUTEX-9S19QMZ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    asi5B2pzNgey

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      67851006cff67b0bf2ed41d716d656f8_JaffaCakes118

    • Size

      701KB

    • MD5

      67851006cff67b0bf2ed41d716d656f8

    • SHA1

      6807f3624be4a34fd66e35339d47c965fbc24749

    • SHA256

      5fb5bc37f828d36358f72f86b5699dfb82add3f0f50b9eac837f813362d23046

    • SHA512

      34e5785989e2a733b8a935dedaf44b37253457c43d23817ca58d917b5c3ef99a770081c37317738e502afcf6b28a9701cced3aa35117c38e1f66874d2ef50ba0

    • SSDEEP

      12288:IM0GBAUfKBV4dl4yzTNu+jAGAsH1X/Vkb8rIRCTQoMnYFOKQ29jpH6n8/b6p1d:Z9vE4dZQ+TAI1XibSIRUMnd29danXv

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks