General

  • Target

    6bca1b1d30c05d930ed2c8f25ed17643_JaffaCakes118

  • Size

    892KB

  • Sample

    240724-rt6aha1ajl

  • MD5

    6bca1b1d30c05d930ed2c8f25ed17643

  • SHA1

    06e0340ed88bf9ef1455491e60477ee4f0cb8f58

  • SHA256

    e30b11468667da8d6823ecddb4c1ee20eca12b0f48c4920b66bd0a3639c3ecb8

  • SHA512

    53eece6a291401ec0192e29a5a78a4c73c82c6e9127d0371131e9bc5731d6b545ae6c5a39829208a10cb483bc9c9cc2ba66a475fd7d28257c8ef53ff24c509d6

  • SSDEEP

    24576:dqhT7SBW5znjj3S+fr4cjaKTbpHCiMDRU3EbReRbCfwMw424:EhT7NnS+fr4LKTbpHCiMDRwfMw42

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

shy1.no-ip.biz:871

Mutex

DC_MUTEX-66AJEMJ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    zsGjUsLt4ms6

  • install

    true

  • offline_keylogger

    true

  • password

    aze123456

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      6bca1b1d30c05d930ed2c8f25ed17643_JaffaCakes118

    • Size

      892KB

    • MD5

      6bca1b1d30c05d930ed2c8f25ed17643

    • SHA1

      06e0340ed88bf9ef1455491e60477ee4f0cb8f58

    • SHA256

      e30b11468667da8d6823ecddb4c1ee20eca12b0f48c4920b66bd0a3639c3ecb8

    • SHA512

      53eece6a291401ec0192e29a5a78a4c73c82c6e9127d0371131e9bc5731d6b545ae6c5a39829208a10cb483bc9c9cc2ba66a475fd7d28257c8ef53ff24c509d6

    • SSDEEP

      24576:dqhT7SBW5znjj3S+fr4cjaKTbpHCiMDRU3EbReRbCfwMw424:EhT7NnS+fr4LKTbpHCiMDRwfMw42

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks