General

  • Target

    7c628b63e00fdfb7cf03f79411deeeea_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240731-pjwbfasfrk

  • MD5

    7c628b63e00fdfb7cf03f79411deeeea

  • SHA1

    a60b798e860fa4c4aa8a43474b86b3f01969ba79

  • SHA256

    4c308a8c665839ea491089cd987ab93a6c09ad9eb6561116776d635b660da101

  • SHA512

    960b1634bf9227c753590f7c2042ae68d9e3eec2ce7722ff74ee257dccbc7da28092e4ea74af6a08790775ef6514436435e12ea4bcda173e08e25b83eca46b43

  • SSDEEP

    12288:B1Eu4AZ+EOJTSNT8JpclOVgvcWS2LgHtJpXMKI1jdT5yRVhJUzIwX5+9NB8GYbnu:t0GMG15eisLl74ZYS+/VRZ

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

darkcoder.no-ip.biz:1604

Mutex

DC_MUTEX-L3VAPKR

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    SSMFGEWonDEN

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      7c628b63e00fdfb7cf03f79411deeeea_JaffaCakes118

    • Size

      1.1MB

    • MD5

      7c628b63e00fdfb7cf03f79411deeeea

    • SHA1

      a60b798e860fa4c4aa8a43474b86b3f01969ba79

    • SHA256

      4c308a8c665839ea491089cd987ab93a6c09ad9eb6561116776d635b660da101

    • SHA512

      960b1634bf9227c753590f7c2042ae68d9e3eec2ce7722ff74ee257dccbc7da28092e4ea74af6a08790775ef6514436435e12ea4bcda173e08e25b83eca46b43

    • SSDEEP

      12288:B1Eu4AZ+EOJTSNT8JpclOVgvcWS2LgHtJpXMKI1jdT5yRVhJUzIwX5+9NB8GYbnu:t0GMG15eisLl74ZYS+/VRZ

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks