General

  • Target

    6b18a6b20832fb7929ccb4b3043f3218_JaffaCakes118

  • Size

    964KB

  • Sample

    240724-lk5dyssbme

  • MD5

    6b18a6b20832fb7929ccb4b3043f3218

  • SHA1

    6f35aca55396af3e9f8e6939c4ee1bfb3f5bc69a

  • SHA256

    70635ba75fdb495bb4c0209f26176f0c0d40fd294c8b39898f18742f2e55ce20

  • SHA512

    f69815bc4bead7481be0ecaa43eb53b32c26a5502e40f4b3f68789534cf501246528a35e86bf3b092aed4864691192527414c7c949327c7610e1659377b230f9

  • SSDEEP

    24576:CMFvr6fMVQXwU23E/0iprDKUHSIHzOIfbfxRwv6lRu9xitRHsn:CMFO+QXwb3xGmDIHzOIfjblRuCto

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

84.72.27.213:1604

Mutex

DC_MUTEX-3WNETRQ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    RJVLW58TNDYF

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      6b18a6b20832fb7929ccb4b3043f3218_JaffaCakes118

    • Size

      964KB

    • MD5

      6b18a6b20832fb7929ccb4b3043f3218

    • SHA1

      6f35aca55396af3e9f8e6939c4ee1bfb3f5bc69a

    • SHA256

      70635ba75fdb495bb4c0209f26176f0c0d40fd294c8b39898f18742f2e55ce20

    • SHA512

      f69815bc4bead7481be0ecaa43eb53b32c26a5502e40f4b3f68789534cf501246528a35e86bf3b092aed4864691192527414c7c949327c7610e1659377b230f9

    • SSDEEP

      24576:CMFvr6fMVQXwU23E/0iprDKUHSIHzOIfbfxRwv6lRu9xitRHsn:CMFO+QXwb3xGmDIHzOIfjblRuCto

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks