General

  • Target

    67cb1c01c75bff149ff7861c69fc4466_JaffaCakes118

  • Size

    909KB

  • Sample

    240723-qxfctasfpp

  • MD5

    67cb1c01c75bff149ff7861c69fc4466

  • SHA1

    24941f17cbfaf6be7983327256234341058d6dc5

  • SHA256

    24c07c17891cf017be8d95fc1420e436770e0b707a1ce98cb67d128412e88af5

  • SHA512

    a1916f2ef82d64cfc34658a94652b0dc018962625edd9ead107544b50c2d146f4e9e1e32f10548e0ba2c00c328eb8eda317031f1d1d0edc7ba4f2e8b1f508902

  • SSDEEP

    24576:fjEqdiCTMMfHNDAxHDGjcAyThDzp+c2Yjk/Pyh7VXr:fjEqk9M/twjkc3zpw87R

Malware Config

Extracted

Family

darkcomet

Botnet

Guest1

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-UV5JZRV

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    DvTRSZJUcivg

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Targets

    • Target

      67cb1c01c75bff149ff7861c69fc4466_JaffaCakes118

    • Size

      909KB

    • MD5

      67cb1c01c75bff149ff7861c69fc4466

    • SHA1

      24941f17cbfaf6be7983327256234341058d6dc5

    • SHA256

      24c07c17891cf017be8d95fc1420e436770e0b707a1ce98cb67d128412e88af5

    • SHA512

      a1916f2ef82d64cfc34658a94652b0dc018962625edd9ead107544b50c2d146f4e9e1e32f10548e0ba2c00c328eb8eda317031f1d1d0edc7ba4f2e8b1f508902

    • SSDEEP

      24576:fjEqdiCTMMfHNDAxHDGjcAyThDzp+c2Yjk/Pyh7VXr:fjEqk9M/twjkc3zpw87R

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks