General

  • Target

    6e60134d0fe3e65aa45deb9c3e84b1a4_JaffaCakes118

  • Size

    236KB

  • Sample

    240725-glwe8asbpk

  • MD5

    6e60134d0fe3e65aa45deb9c3e84b1a4

  • SHA1

    0f221294e3937bcc25691f5d707889d8c5f11eee

  • SHA256

    df0cad739821bec80626a98c9bc52d501ceda97649bb1f8decff2bd97f41f68a

  • SHA512

    aa68c008beb86baa0894dda845e966c83598fff08f41ae7d37e6f2d681178e919975e520e6fce649362afe75cf55eff14a1b8a6d645bc440a3251fdd6611f7c0

  • SSDEEP

    6144:gmDUj24gqU85IzrFA9NfmDuLpNr5NhWudrWDh:gqUj2LkizrzDujVNhWucD

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

mkidech.zapto.org:1604

Mutex

DC_MUTEX-NB20Q2J

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    STjsNl3PnbGg

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      6e60134d0fe3e65aa45deb9c3e84b1a4_JaffaCakes118

    • Size

      236KB

    • MD5

      6e60134d0fe3e65aa45deb9c3e84b1a4

    • SHA1

      0f221294e3937bcc25691f5d707889d8c5f11eee

    • SHA256

      df0cad739821bec80626a98c9bc52d501ceda97649bb1f8decff2bd97f41f68a

    • SHA512

      aa68c008beb86baa0894dda845e966c83598fff08f41ae7d37e6f2d681178e919975e520e6fce649362afe75cf55eff14a1b8a6d645bc440a3251fdd6611f7c0

    • SSDEEP

      6144:gmDUj24gqU85IzrFA9NfmDuLpNr5NhWudrWDh:gqUj2LkizrzDujVNhWucD

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks