General

  • Target

    761b2ea3d2f05a0b94de32442ff9cd05_JaffaCakes118

  • Size

    661KB

  • Sample

    240726-21w1hstdnh

  • MD5

    761b2ea3d2f05a0b94de32442ff9cd05

  • SHA1

    a03f6454f45d207fb5821f68d4d19e76391876c0

  • SHA256

    3bb11a7d30a3e352b6a1919cdae64b58b8ed6581b5c3dc076a3f563ee88c4d86

  • SHA512

    3208510fef115b1abaf9eec90c5540a50d239583fb6fce0e6297950deb44936c653d273677ac9e50193a26199ae297162bf5aab3ce1f1bb67eca5b366994b70b

  • SSDEEP

    12288:IXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452U3:unAw2WWeFcfbP9VPSPMTSPL/rWvzq4JH

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

jojojijijojo.no-ip.org:7050

Mutex

DC_MUTEX-VJCE7NK

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Qm8S8Vk13fvr

  • install

    true

  • offline_keylogger

    false

  • password

    mutexvisa

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      761b2ea3d2f05a0b94de32442ff9cd05_JaffaCakes118

    • Size

      661KB

    • MD5

      761b2ea3d2f05a0b94de32442ff9cd05

    • SHA1

      a03f6454f45d207fb5821f68d4d19e76391876c0

    • SHA256

      3bb11a7d30a3e352b6a1919cdae64b58b8ed6581b5c3dc076a3f563ee88c4d86

    • SHA512

      3208510fef115b1abaf9eec90c5540a50d239583fb6fce0e6297950deb44936c653d273677ac9e50193a26199ae297162bf5aab3ce1f1bb67eca5b366994b70b

    • SSDEEP

      12288:IXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452U3:unAw2WWeFcfbP9VPSPMTSPL/rWvzq4JH

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks