General

  • Target

    7897837885b3a475f18e5ee864f7238a_JaffaCakes118

  • Size

    331KB

  • Sample

    240727-sknvjavflq

  • MD5

    7897837885b3a475f18e5ee864f7238a

  • SHA1

    485882ba501347eb99489c10867bd1520decd1f5

  • SHA256

    9692260cb951a7685dd29e7b410ca5a086514a402ac9f36c7fc5d47ddbe06bf6

  • SHA512

    f2c6a420ae9161d5c67cbbccb037880498425ccb8efa335380c49234e193a654622e458f59e8e57a1823a990305b3de12a1ea99461003fb4e87feade785768f7

  • SSDEEP

    6144:hhH76Gd6Mqk84ZIjzJNiNr5ldxb6g1x080pqUJjZmSpUjVIH3soJ:hhxoMVJyfJNiN3N1x080oUJjZmcUjup

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-YV9537W

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    vtZamnSTfx5d

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      7897837885b3a475f18e5ee864f7238a_JaffaCakes118

    • Size

      331KB

    • MD5

      7897837885b3a475f18e5ee864f7238a

    • SHA1

      485882ba501347eb99489c10867bd1520decd1f5

    • SHA256

      9692260cb951a7685dd29e7b410ca5a086514a402ac9f36c7fc5d47ddbe06bf6

    • SHA512

      f2c6a420ae9161d5c67cbbccb037880498425ccb8efa335380c49234e193a654622e458f59e8e57a1823a990305b3de12a1ea99461003fb4e87feade785768f7

    • SSDEEP

      6144:hhH76Gd6Mqk84ZIjzJNiNr5ldxb6g1x080pqUJjZmSpUjVIH3soJ:hhxoMVJyfJNiN3N1x080oUJjZmcUjup

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks