General

  • Target

    8393b965a4159ab6400d46899c943af1_JaffaCakes118

  • Size

    234KB

  • Sample

    240809-z4lb3stbrc

  • MD5

    8393b965a4159ab6400d46899c943af1

  • SHA1

    13f2b5f18cbb2ea6165bcca033d3d17880965a71

  • SHA256

    a243b4d437e5381ce22852e3bc6f6621dfaf8a618526d37d4e763a43c5634c07

  • SHA512

    8f5146b3ff5e35e8b9376a568da405bb74f89da8d36d7faba79a32281b25f57e6fa6b93a3b22ab4bc36041025e902e45ffcca18865e74a732d5ff30b9040483e

  • SSDEEP

    6144:9hqN2gp8/DlfS7kuF8EZZY0W+DBOeq0S98JS9ToS:9h8eDlK7iEFVhq0SeU9ToS

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-F54S21D

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    VzpgEE93M5fr

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      8393b965a4159ab6400d46899c943af1_JaffaCakes118

    • Size

      234KB

    • MD5

      8393b965a4159ab6400d46899c943af1

    • SHA1

      13f2b5f18cbb2ea6165bcca033d3d17880965a71

    • SHA256

      a243b4d437e5381ce22852e3bc6f6621dfaf8a618526d37d4e763a43c5634c07

    • SHA512

      8f5146b3ff5e35e8b9376a568da405bb74f89da8d36d7faba79a32281b25f57e6fa6b93a3b22ab4bc36041025e902e45ffcca18865e74a732d5ff30b9040483e

    • SSDEEP

      6144:9hqN2gp8/DlfS7kuF8EZZY0W+DBOeq0S98JS9ToS:9h8eDlK7iEFVhq0SeU9ToS

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks