General

  • Target

    73c98ffcdfaa60ff5d8cf6dabda7d0ab_JaffaCakes118

  • Size

    678KB

  • Sample

    240726-m7treatgpq

  • MD5

    73c98ffcdfaa60ff5d8cf6dabda7d0ab

  • SHA1

    046910bb88a9360ce24269768c9a46143697c103

  • SHA256

    f9405a6c0b639fe55234089fa4266e53d85dedcb4111b692d832ae2f76643f0d

  • SHA512

    826bafe8b7d365c91c7f9ddf56bdc432ec4035bb90602b71e0248ddb2fb1ada773ddefbf7c1bd2e6fe22feeac0e15c9fb6e6aa3d153bdf05494a1c8230644a6a

  • SSDEEP

    12288:7GS0C81G0DCneK63t+ZDCrv9MVX0XNsrgpqfdhexnV1Ua9+8GPh4e+X+ETfA:7D0DSeK6GIliIsrgcOV1Ua5GZLMTfA

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

masss.no-ip.biz:1604

Mutex

DC_MUTEX-KPFPAPT

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    f56klvnL1Z1j

  • install

    true

  • offline_keylogger

    true

  • password

    12345

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      73c98ffcdfaa60ff5d8cf6dabda7d0ab_JaffaCakes118

    • Size

      678KB

    • MD5

      73c98ffcdfaa60ff5d8cf6dabda7d0ab

    • SHA1

      046910bb88a9360ce24269768c9a46143697c103

    • SHA256

      f9405a6c0b639fe55234089fa4266e53d85dedcb4111b692d832ae2f76643f0d

    • SHA512

      826bafe8b7d365c91c7f9ddf56bdc432ec4035bb90602b71e0248ddb2fb1ada773ddefbf7c1bd2e6fe22feeac0e15c9fb6e6aa3d153bdf05494a1c8230644a6a

    • SSDEEP

      12288:7GS0C81G0DCneK63t+ZDCrv9MVX0XNsrgpqfdhexnV1Ua9+8GPh4e+X+ETfA:7D0DSeK6GIliIsrgcOV1Ua5GZLMTfA

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks