General

  • Target

    6a2bef4da76762725022fb0b4edf0102_JaffaCakes118

  • Size

    1.3MB

  • Sample

    240724-emg8wazgna

  • MD5

    6a2bef4da76762725022fb0b4edf0102

  • SHA1

    0ebc3d054c8f4a50acf65a9b0278a5b0921b7cba

  • SHA256

    c78b78846da7513873635054351863bbf4d1b68899c6d853d3dbd9e6c1a6a0de

  • SHA512

    15717cc92996d66c287a74899fe3de6aa2420966268313e7d508c75cd30d58be9d142df56928dc70247e284cae1a8f8d28bce4988943a3c4d2f3e1d16de4ae72

  • SSDEEP

    24576:dnvmnihQEGLKxRowYnLDxiifL4t4NWCCizZqJE90yK/cRgOnmq9g6Tj61UJE:dnenm3DAnoifL4yXRQEocOU7m6TUUJE

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-XQA4EKL

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    bR7yqUnegNVn

  • install

    true

  • offline_keylogger

    true

  • password

    moumene

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      6a2bef4da76762725022fb0b4edf0102_JaffaCakes118

    • Size

      1.3MB

    • MD5

      6a2bef4da76762725022fb0b4edf0102

    • SHA1

      0ebc3d054c8f4a50acf65a9b0278a5b0921b7cba

    • SHA256

      c78b78846da7513873635054351863bbf4d1b68899c6d853d3dbd9e6c1a6a0de

    • SHA512

      15717cc92996d66c287a74899fe3de6aa2420966268313e7d508c75cd30d58be9d142df56928dc70247e284cae1a8f8d28bce4988943a3c4d2f3e1d16de4ae72

    • SSDEEP

      24576:dnvmnihQEGLKxRowYnLDxiifL4t4NWCCizZqJE90yK/cRgOnmq9g6Tj61UJE:dnenm3DAnoifL4yXRQEocOU7m6TUUJE

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks