General

  • Target

    8164c48d6dd6cc20309bdc5c8135561b_JaffaCakes118

  • Size

    598KB

  • Sample

    240801-v3xaqsvhqd

  • MD5

    8164c48d6dd6cc20309bdc5c8135561b

  • SHA1

    39bd3d2ac36b7461f541c4b861d067c48024742c

  • SHA256

    9aa3ce52260ba0914639a1a63a8c2447563578e8167c50f8a541f542e0f615e8

  • SHA512

    ff28fafcded7e56a99a8e8c7a1e8976c5890cc271ad98bf8296e8366dee05ed4e6acdc83125e5c5bfa2984d288bd9d0d9a59245a1f8ff5bbd109812a9a3d40e1

  • SSDEEP

    12288:wY89kymZ1iptv+qKhFc9mO9HaN2n6jygDAUJ2sc30Xy5SO0PEo:cWymZ1iD+qKhSmOb6rbJu3Ps1

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

mohamedmmk.zapto.org:82

Mutex

DC_MUTEX-L1KB0QQ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    LN0J2LLsllhH

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      8164c48d6dd6cc20309bdc5c8135561b_JaffaCakes118

    • Size

      598KB

    • MD5

      8164c48d6dd6cc20309bdc5c8135561b

    • SHA1

      39bd3d2ac36b7461f541c4b861d067c48024742c

    • SHA256

      9aa3ce52260ba0914639a1a63a8c2447563578e8167c50f8a541f542e0f615e8

    • SHA512

      ff28fafcded7e56a99a8e8c7a1e8976c5890cc271ad98bf8296e8366dee05ed4e6acdc83125e5c5bfa2984d288bd9d0d9a59245a1f8ff5bbd109812a9a3d40e1

    • SSDEEP

      12288:wY89kymZ1iptv+qKhFc9mO9HaN2n6jygDAUJ2sc30Xy5SO0PEo:cWymZ1iD+qKhSmOb6rbJu3Ps1

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks