General

  • Target

    90bd715c899996fa14a8021328c8a6f1_JaffaCakes118

  • Size

    913KB

  • Sample

    240812-3hvv6s1glh

  • MD5

    90bd715c899996fa14a8021328c8a6f1

  • SHA1

    56ac9ad89daa2560a07bedc7fc2192fbed29b922

  • SHA256

    e8976511cedc5defb1debe7b9925c4fbe1c0f0cc0aeb6d1d0002189f2f0569eb

  • SHA512

    b892a01230f5ebcb106ebccb0b6116b52284c52cceb04d33e30ad44fca591c9398869f4308ae30ebc2d34db9b8bfe7473a78484d410362f702571d57d2070e46

  • SSDEEP

    12288:BVZIigI1It9TELpHyW8o7YNQbxBeW8/LViyIakQz15bbPuyW0bXNpbyk8rHpgJHv:xIigI1It1spwQbMiyIakELBXn8zpoHv

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

rorororo.no-ip.info:81

Mutex

DC_MUTEX-F54S21D

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Y3ni72Mf406g

  • install

    true

  • offline_keylogger

    true

  • password

    1

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      90bd715c899996fa14a8021328c8a6f1_JaffaCakes118

    • Size

      913KB

    • MD5

      90bd715c899996fa14a8021328c8a6f1

    • SHA1

      56ac9ad89daa2560a07bedc7fc2192fbed29b922

    • SHA256

      e8976511cedc5defb1debe7b9925c4fbe1c0f0cc0aeb6d1d0002189f2f0569eb

    • SHA512

      b892a01230f5ebcb106ebccb0b6116b52284c52cceb04d33e30ad44fca591c9398869f4308ae30ebc2d34db9b8bfe7473a78484d410362f702571d57d2070e46

    • SSDEEP

      12288:BVZIigI1It9TELpHyW8o7YNQbxBeW8/LViyIakQz15bbPuyW0bXNpbyk8rHpgJHv:xIigI1It1spwQbMiyIakELBXn8zpoHv

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Windows security bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks