General

  • Target

    6884ee9f2e9979aaff7e8064fbe5cdf2_JaffaCakes118

  • Size

    1.3MB

  • Sample

    240723-vzp29atepd

  • MD5

    6884ee9f2e9979aaff7e8064fbe5cdf2

  • SHA1

    e2c726844e50784db2c1d106daf3b47a71707218

  • SHA256

    97322bc3dfe63e1fa354c10f23426afb6638ec9e555e9c6d804ff27239bc5b1d

  • SHA512

    9c5fb247c38157232a6704c47afa78e7fee9112218e0f4be90f3bfd0a6d4bb3df7b69e89ab75c1391d2eb0a1e5875fc16193f3bc44c4885b6ee1fdbd5d8b6cb5

  • SSDEEP

    24576:3j7cak+HYchIgIN9tQMRAe7oZw00OAyvqlEQ4Siw2vjR3ixUl1aM7:3jYQIjfQuAe7oZw00idQorvlSxUym

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

katrena1986.no-ip.biz:88

Mutex

�����

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Ebe2ZYnwjeiU

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      6884ee9f2e9979aaff7e8064fbe5cdf2_JaffaCakes118

    • Size

      1.3MB

    • MD5

      6884ee9f2e9979aaff7e8064fbe5cdf2

    • SHA1

      e2c726844e50784db2c1d106daf3b47a71707218

    • SHA256

      97322bc3dfe63e1fa354c10f23426afb6638ec9e555e9c6d804ff27239bc5b1d

    • SHA512

      9c5fb247c38157232a6704c47afa78e7fee9112218e0f4be90f3bfd0a6d4bb3df7b69e89ab75c1391d2eb0a1e5875fc16193f3bc44c4885b6ee1fdbd5d8b6cb5

    • SSDEEP

      24576:3j7cak+HYchIgIN9tQMRAe7oZw00OAyvqlEQ4Siw2vjR3ixUl1aM7:3jYQIjfQuAe7oZw00idQorvlSxUym

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • UAC bypass

    • Windows security bypass

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks