General

  • Target

    819df246b27da35f467f59c80f167bc9_JaffaCakes118

  • Size

    350KB

  • Sample

    240801-xnjr7stfnl

  • MD5

    819df246b27da35f467f59c80f167bc9

  • SHA1

    1e37271655b1e9499de89b2e836138151e1dd7f7

  • SHA256

    eacf46e22b979eceb17b7d63ade9fbaae70a7aa10346cf7bf0bf0cd374c53f1a

  • SHA512

    b04ef5971b941df40c3427a6a39774c9f0f993b6d2b4c858bd1ffcaeeb5570fd1491236af52ac437902de0e451a71230b0e3aed7f4a0d98e818e28f7e67a02a1

  • SSDEEP

    6144:4D7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZDh585LLTMdi:4l8E4w5huat7UovONzbXwZ58dMd0QZhw

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

iwinuwin.no-ip.biz:1604

Mutex

DC_MUTEX-DB8SYQ3

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    A1EK50iyckHV

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      819df246b27da35f467f59c80f167bc9_JaffaCakes118

    • Size

      350KB

    • MD5

      819df246b27da35f467f59c80f167bc9

    • SHA1

      1e37271655b1e9499de89b2e836138151e1dd7f7

    • SHA256

      eacf46e22b979eceb17b7d63ade9fbaae70a7aa10346cf7bf0bf0cd374c53f1a

    • SHA512

      b04ef5971b941df40c3427a6a39774c9f0f993b6d2b4c858bd1ffcaeeb5570fd1491236af52ac437902de0e451a71230b0e3aed7f4a0d98e818e28f7e67a02a1

    • SSDEEP

      6144:4D7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZDh585LLTMdi:4l8E4w5huat7UovONzbXwZ58dMd0QZhw

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks