General

  • Target

    8a3babb47d9bbcb82de6385a929eec89_JaffaCakes118

  • Size

    284KB

  • Sample

    240811-nvv95sscqa

  • MD5

    8a3babb47d9bbcb82de6385a929eec89

  • SHA1

    8a0a85f0b6f179b05864a4e9b92f0454f30cd80d

  • SHA256

    9838e229ca80d7d2f1a9d67a83014127b3bed58cf3941be5ebb7313285e1992e

  • SHA512

    4fede170279f4945566e73c52ddb0d4ea477386fca89731121f627b046d0d3798d7c52a11701a6a9dc3e0e319904e8a70d2a8abd09a081980a86037c3e9d2945

  • SSDEEP

    6144:NMI/jlS4kCwHL76nz9Q3uR5LTYYBIsHhl:NMQlS9Cwr79uLLTvBIYhl

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

84.128.66.246:1604

Mutex

DC_MUTEX-VQDFNGM

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    YKec4W0NVa4f

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      8a3babb47d9bbcb82de6385a929eec89_JaffaCakes118

    • Size

      284KB

    • MD5

      8a3babb47d9bbcb82de6385a929eec89

    • SHA1

      8a0a85f0b6f179b05864a4e9b92f0454f30cd80d

    • SHA256

      9838e229ca80d7d2f1a9d67a83014127b3bed58cf3941be5ebb7313285e1992e

    • SHA512

      4fede170279f4945566e73c52ddb0d4ea477386fca89731121f627b046d0d3798d7c52a11701a6a9dc3e0e319904e8a70d2a8abd09a081980a86037c3e9d2945

    • SSDEEP

      6144:NMI/jlS4kCwHL76nz9Q3uR5LTYYBIsHhl:NMQlS9Cwr79uLLTvBIYhl

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks