General

  • Target

    6bf9df53209b7171408453653d4cfd27_JaffaCakes118

  • Size

    1.4MB

  • Sample

    240724-syxplawema

  • MD5

    6bf9df53209b7171408453653d4cfd27

  • SHA1

    f20d13ac603eacb852d36fb1ac49445899cec4e9

  • SHA256

    35b82a0cb0183b65bac3c2b2ae4f4252bfce73b2eae8a8459aadb77e57ed2789

  • SHA512

    eda047a9f8a7b21390f65acf91c96b1c91e03dab49143181afff0dad2eb13dd9aeef69691f8cffcf163303dcd0913cff72d802761149d45ea8087d734505f3aa

  • SSDEEP

    24576:XJ9NBbNrxMKT54cKZdcuPkNCTcK4oDU86fO:XJikyNTmMOO

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

love88.no-ip.biz:1604

Mutex

DC_MUTEX-52SB0ER

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    vBKlvr7htqZr

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      6bf9df53209b7171408453653d4cfd27_JaffaCakes118

    • Size

      1.4MB

    • MD5

      6bf9df53209b7171408453653d4cfd27

    • SHA1

      f20d13ac603eacb852d36fb1ac49445899cec4e9

    • SHA256

      35b82a0cb0183b65bac3c2b2ae4f4252bfce73b2eae8a8459aadb77e57ed2789

    • SHA512

      eda047a9f8a7b21390f65acf91c96b1c91e03dab49143181afff0dad2eb13dd9aeef69691f8cffcf163303dcd0913cff72d802761149d45ea8087d734505f3aa

    • SSDEEP

      24576:XJ9NBbNrxMKT54cKZdcuPkNCTcK4oDU86fO:XJikyNTmMOO

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks