General

  • Target

    8783017c005439b3d0f2b3f18a9bcf5d_JaffaCakes118

  • Size

    650KB

  • Sample

    240810-yz68bawdlp

  • MD5

    8783017c005439b3d0f2b3f18a9bcf5d

  • SHA1

    828d4785737e2c2b044a53b951a605928e2d200d

  • SHA256

    c29308769e6ac527151045a127d4a19a4eca8c978979f8e0b1b8b813b1928677

  • SHA512

    de2de12db3122ac52b333b3e05d385f696b1747dab2e90bed396337dcfbc7f9728444b72436f507ec66ccd7f804c7ee2c81dca160cadd5390738815f267ef379

  • SSDEEP

    12288:7k0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+J:w0QRWoJEfg0oChGdJQbjPbNW5tYeP+G8

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

mnanauk-dz.no-ip.biz:1604

Mutex

DC_MUTEX-EB46CLG

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    rpfQbN9b66NT

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      8783017c005439b3d0f2b3f18a9bcf5d_JaffaCakes118

    • Size

      650KB

    • MD5

      8783017c005439b3d0f2b3f18a9bcf5d

    • SHA1

      828d4785737e2c2b044a53b951a605928e2d200d

    • SHA256

      c29308769e6ac527151045a127d4a19a4eca8c978979f8e0b1b8b813b1928677

    • SHA512

      de2de12db3122ac52b333b3e05d385f696b1747dab2e90bed396337dcfbc7f9728444b72436f507ec66ccd7f804c7ee2c81dca160cadd5390738815f267ef379

    • SSDEEP

      12288:7k0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+J:w0QRWoJEfg0oChGdJQbjPbNW5tYeP+G8

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks