General

  • Target

    79e6cc28e0963624948eb30a0d186e18_JaffaCakes118

  • Size

    367KB

  • Sample

    240730-y45v2swhpk

  • MD5

    79e6cc28e0963624948eb30a0d186e18

  • SHA1

    6f2ea39a768a353fbc274bb23b08f017cd063e6f

  • SHA256

    7ee15a666207cba86b1693f32ff79b40b0e45a3fca3ef47b46cb61a9c41d9f9d

  • SHA512

    fbb11d97af83fd50137bce2f0a322a558f4cd02bc2d58650bc65a295a1fe17cde7d8df65279aa75dc2eb02bc4d3bacfaff5742440c0ec882d1ed919fbc2e7fec

  • SSDEEP

    6144:Uo6mAeSeYD5An7Xu8UjsTPH1g3E6mvyiw7/+nx9b7r+oBGFQ04CQskrFLofmE:uChYWnK1EPH18E/vyN+DXIQ7JLofmE

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

116.37.6.196:1604

Mutex

DC_MUTEX-MJ67NPZ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    xvCNv79xVljd

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      79e6cc28e0963624948eb30a0d186e18_JaffaCakes118

    • Size

      367KB

    • MD5

      79e6cc28e0963624948eb30a0d186e18

    • SHA1

      6f2ea39a768a353fbc274bb23b08f017cd063e6f

    • SHA256

      7ee15a666207cba86b1693f32ff79b40b0e45a3fca3ef47b46cb61a9c41d9f9d

    • SHA512

      fbb11d97af83fd50137bce2f0a322a558f4cd02bc2d58650bc65a295a1fe17cde7d8df65279aa75dc2eb02bc4d3bacfaff5742440c0ec882d1ed919fbc2e7fec

    • SSDEEP

      6144:Uo6mAeSeYD5An7Xu8UjsTPH1g3E6mvyiw7/+nx9b7r+oBGFQ04CQskrFLofmE:uChYWnK1EPH18E/vyN+DXIQ7JLofmE

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks