General

  • Target

    4a152e4035f9c9e98a81519881394cfa_JaffaCakes118

  • Size

    253KB

  • Sample

    240729-q2nvra1clr

  • MD5

    4a152e4035f9c9e98a81519881394cfa

  • SHA1

    3dd73c4fcde3b7dc477d1c99835032f7a732681b

  • SHA256

    726f0333e1ef67ca0f9bf1ca37f63b0cdd1f4112241c7a208bca73de5462f6ba

  • SHA512

    e764ce719989812948a53459c0f61ed73fd597faa8ad04cafe247894a451c1bce8b70f265ac1e3ecfff8387f44b1a76d06caaef2d691f565dd56c8a55df7264b

  • SSDEEP

    6144:WD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZ:Wl8E4w5huat7UovONzbXw

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

vzlomzokrk.ddns.net:1604

vzlomzokrk.ddns.net:27015

vzlomzokrk.ddns.net:27016

Mutex

DC_MUTEX-J0D6D42

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    nHTAViDmi43W

  • install

    true

  • offline_keylogger

    false

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      4a152e4035f9c9e98a81519881394cfa_JaffaCakes118

    • Size

      253KB

    • MD5

      4a152e4035f9c9e98a81519881394cfa

    • SHA1

      3dd73c4fcde3b7dc477d1c99835032f7a732681b

    • SHA256

      726f0333e1ef67ca0f9bf1ca37f63b0cdd1f4112241c7a208bca73de5462f6ba

    • SHA512

      e764ce719989812948a53459c0f61ed73fd597faa8ad04cafe247894a451c1bce8b70f265ac1e3ecfff8387f44b1a76d06caaef2d691f565dd56c8a55df7264b

    • SSDEEP

      6144:WD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZ:Wl8E4w5huat7UovONzbXw

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks