General

  • Target

    7fb95a278a19e2e617103073ce277949_JaffaCakes118

  • Size

    1.0MB

  • Sample

    240801-jqy31sthmg

  • MD5

    7fb95a278a19e2e617103073ce277949

  • SHA1

    b35d3abe168e600e479fe4ee0a9bbd0d16896293

  • SHA256

    e10ceccfa2079cd2c7fbd113a12b2543089858353aa864120ac4fa4293a44c82

  • SHA512

    f3a7abb1041b9cb894e11d240e651e1874f4698a426f652afa82360065da05cbbed3e7910b8cd3a82bc38b35e6ce5a07b8cc110e7c3823816fc4e4104fb112b8

  • SSDEEP

    24576:FhXEizcghu+seL01pUbWm/FZk8KDdZprnIRWmAZfwv:z0rgw+s8k8KZ6DA1e

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

rat298.no-ip.biz:1604

Mutex

DC_MUTEX-0GZYHZ0

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    z8rgSbLtXLFl

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      7fb95a278a19e2e617103073ce277949_JaffaCakes118

    • Size

      1.0MB

    • MD5

      7fb95a278a19e2e617103073ce277949

    • SHA1

      b35d3abe168e600e479fe4ee0a9bbd0d16896293

    • SHA256

      e10ceccfa2079cd2c7fbd113a12b2543089858353aa864120ac4fa4293a44c82

    • SHA512

      f3a7abb1041b9cb894e11d240e651e1874f4698a426f652afa82360065da05cbbed3e7910b8cd3a82bc38b35e6ce5a07b8cc110e7c3823816fc4e4104fb112b8

    • SSDEEP

      24576:FhXEizcghu+seL01pUbWm/FZk8KDdZprnIRWmAZfwv:z0rgw+s8k8KZ6DA1e

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks