General

  • Target

    7fdf52e6c29795edf3873748ade13d0e_JaffaCakes118

  • Size

    548KB

  • Sample

    240801-krbvjssbrj

  • MD5

    7fdf52e6c29795edf3873748ade13d0e

  • SHA1

    14c005aeb0015840038e38bd8f3ed8b8d0afb08f

  • SHA256

    a010cb86c49f5095e8d23a269dfaeadaa4271311fd81ae3ecbb58d8d9405f8a9

  • SHA512

    ba40011c93bc6b4610f12084b1c12612e0a6fd791a8424bd69028fd503a9feddc1546d41f78aa1a0e51c8b2f446884f59d11bb633eddeff21f417cde012878bb

  • SSDEEP

    12288:1QnZp+FguhYs1ob8SfLR18KHwbQhpZggZE6rDoa2aRTiua:CnZDN1b7JV4

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

darkcommetrat.no-ip.org:25565

Mutex

DC_MUTEX-MV4JSRU

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    UrntQd1f4RHS

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      7fdf52e6c29795edf3873748ade13d0e_JaffaCakes118

    • Size

      548KB

    • MD5

      7fdf52e6c29795edf3873748ade13d0e

    • SHA1

      14c005aeb0015840038e38bd8f3ed8b8d0afb08f

    • SHA256

      a010cb86c49f5095e8d23a269dfaeadaa4271311fd81ae3ecbb58d8d9405f8a9

    • SHA512

      ba40011c93bc6b4610f12084b1c12612e0a6fd791a8424bd69028fd503a9feddc1546d41f78aa1a0e51c8b2f446884f59d11bb633eddeff21f417cde012878bb

    • SSDEEP

      12288:1QnZp+FguhYs1ob8SfLR18KHwbQhpZggZE6rDoa2aRTiua:CnZDN1b7JV4

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks