General

  • Target

    71724dd56b95cfd21320f590f574443e_JaffaCakes118

  • Size

    402KB

  • Sample

    240725-151c3ayaqj

  • MD5

    71724dd56b95cfd21320f590f574443e

  • SHA1

    e1c8dd908425fcf802bc33675d3c48f894a7b238

  • SHA256

    01266e3f2e2c18d219ad878dcccf2717e5b8205d62d2a1afe231d76bd216c9f1

  • SHA512

    8793e1dbdd87d79cdf19841caf3f1818f4b8d57a6a009afee233231a95970a40991e287d643aff368830f447fd80e3f6d4ed5f3a145bb6931642f077e1221921

  • SSDEEP

    12288:rhxoMVJyfJNiN3N1x080oUJjZmcUjupNiP:rrdJyRNiN350r4IiP

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-YV9537W

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    vtZamnSTfx5d

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      71724dd56b95cfd21320f590f574443e_JaffaCakes118

    • Size

      402KB

    • MD5

      71724dd56b95cfd21320f590f574443e

    • SHA1

      e1c8dd908425fcf802bc33675d3c48f894a7b238

    • SHA256

      01266e3f2e2c18d219ad878dcccf2717e5b8205d62d2a1afe231d76bd216c9f1

    • SHA512

      8793e1dbdd87d79cdf19841caf3f1818f4b8d57a6a009afee233231a95970a40991e287d643aff368830f447fd80e3f6d4ed5f3a145bb6931642f077e1221921

    • SSDEEP

      12288:rhxoMVJyfJNiN3N1x080oUJjZmcUjupNiP:rrdJyRNiN350r4IiP

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks