General

  • Target

    6cffdd65b64ffb7ee4ac830ddcd7e038_JaffaCakes118

  • Size

    690KB

  • Sample

    240724-17gczazgrq

  • MD5

    6cffdd65b64ffb7ee4ac830ddcd7e038

  • SHA1

    57a797e26eed12a555bf1edb9b5a6eea4109fc56

  • SHA256

    5bcb25635791e470c9c347d69573626fdf93040dd2a52bae7947041fe54e6a7f

  • SHA512

    b69be17dd5cbe67ee8144fc90c9ee0dfb93d223003d6e7de135da3e3f71019531e047270a9fc3ebcf62da3a2bf9e373ed7debea31fd458704195245e5be45584

  • SSDEEP

    12288:n9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hAls:BZ1xuVVjfFoynPaVBUR8f+kN10EBZ

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

ewqeqwdw.duckdns.org:81

Mutex

DC_MUTEX-W4N6J00

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Y49ga9JSqw5Q

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      6cffdd65b64ffb7ee4ac830ddcd7e038_JaffaCakes118

    • Size

      690KB

    • MD5

      6cffdd65b64ffb7ee4ac830ddcd7e038

    • SHA1

      57a797e26eed12a555bf1edb9b5a6eea4109fc56

    • SHA256

      5bcb25635791e470c9c347d69573626fdf93040dd2a52bae7947041fe54e6a7f

    • SHA512

      b69be17dd5cbe67ee8144fc90c9ee0dfb93d223003d6e7de135da3e3f71019531e047270a9fc3ebcf62da3a2bf9e373ed7debea31fd458704195245e5be45584

    • SSDEEP

      12288:n9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hAls:BZ1xuVVjfFoynPaVBUR8f+kN10EBZ

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks