General

  • Target

    82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240802-dy5ymstckk

  • MD5

    82dc3548b3bdb2f5ac595a7b10a686b5

  • SHA1

    2fd25bcfb3440d3d9b55e20a6f272def0644fc9e

  • SHA256

    a594312bae733f5b364d85bbb4116a31d5a40617b1e1487a4f1243cc6e15375d

  • SHA512

    82fe8bca701a04baaf577f70aea7e0fdbf13af4ddbf1422c0a75bba06aaf0e4a9f651e0dc7752326b9a792f53c648a119156467d9b3d3c8c7f1c4d296be10f6d

  • SSDEEP

    24576:pNh+giDWlMUKfb3QUi1Cqn21DEEZ6yh0u:pn+giEMr8UXsQQEJX

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

yesyoa.no-ip.biz:1337

Mutex

DC_MUTEX-F54S21D

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    MlumXEwFRnE1

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118

    • Size

      1.1MB

    • MD5

      82dc3548b3bdb2f5ac595a7b10a686b5

    • SHA1

      2fd25bcfb3440d3d9b55e20a6f272def0644fc9e

    • SHA256

      a594312bae733f5b364d85bbb4116a31d5a40617b1e1487a4f1243cc6e15375d

    • SHA512

      82fe8bca701a04baaf577f70aea7e0fdbf13af4ddbf1422c0a75bba06aaf0e4a9f651e0dc7752326b9a792f53c648a119156467d9b3d3c8c7f1c4d296be10f6d

    • SSDEEP

      24576:pNh+giDWlMUKfb3QUi1Cqn21DEEZ6yh0u:pn+giEMr8UXsQQEJX

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks