General

  • Target

    7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118

  • Size

    592KB

  • Sample

    240801-h7qmjashqb

  • MD5

    7fa2962d464a1e6aaff03c09cf7e538b

  • SHA1

    53ed1256ee387bd8fd015bba0bdc79d754d22c7c

  • SHA256

    f876c0b4cde4cf27754c95b605b62e1952f7c0416ac38a08db6178a895acb4c1

  • SHA512

    99f3f98690da192a7f495236501a40454fcf59bf62c5694f0208b5114886de50ccd23c2d8ad8911a41a670c39369585aa99140269a1534dbea0db4d6eaf6d2b9

  • SSDEEP

    6144:KdtifXN7XegqunP25EmcmiSZPoCE0H3tovCL6DJreQQf17E4oMkZ98gWNlPTGQQX:KOl7OgHP/kiSZBhtovE6SdOvINtTird

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

saw-88.no-ip.biz:1604

Mutex

DC_MUTEX-FAAE1T4

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    4chxqdwMXJlw

  • install

    true

  • offline_keylogger

    false

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118

    • Size

      592KB

    • MD5

      7fa2962d464a1e6aaff03c09cf7e538b

    • SHA1

      53ed1256ee387bd8fd015bba0bdc79d754d22c7c

    • SHA256

      f876c0b4cde4cf27754c95b605b62e1952f7c0416ac38a08db6178a895acb4c1

    • SHA512

      99f3f98690da192a7f495236501a40454fcf59bf62c5694f0208b5114886de50ccd23c2d8ad8911a41a670c39369585aa99140269a1534dbea0db4d6eaf6d2b9

    • SSDEEP

      6144:KdtifXN7XegqunP25EmcmiSZPoCE0H3tovCL6DJreQQf17E4oMkZ98gWNlPTGQQX:KOl7OgHP/kiSZBhtovE6SdOvINtTird

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks