General

  • Target

    8c82de32ab2b407451b9fc054c09f717_JaffaCakes118

  • Size

    1.0MB

  • Sample

    240812-aad88svhlm

  • MD5

    8c82de32ab2b407451b9fc054c09f717

  • SHA1

    91efbb83a49f55f938465a7e0b5772ebe16aab9d

  • SHA256

    0c2b513e363661f0be0979326dbd243340a10a57b2a533cd0f458cc306a251ce

  • SHA512

    5724a4694c09b4c31989caa4c9b8807d8c976a02c91e145a0b14ef412800b9509447f36dfe94feb186c4195057dde8a89e1e2b798d36d11767b9f72e7b5804e8

  • SSDEEP

    3072:oTngsxpsolJiMbfUM5mQ1+Y03qL7fZjLs3a2ACZaxaYLdViQ7aWVbqDqudD4lxsc:b/Srz

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

ayada.no-ip.info:1604

Mutex

ayada

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    ZZvdly66bTkk

  • install

    true

  • offline_keylogger

    true

  • password

    999999999

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      8c82de32ab2b407451b9fc054c09f717_JaffaCakes118

    • Size

      1.0MB

    • MD5

      8c82de32ab2b407451b9fc054c09f717

    • SHA1

      91efbb83a49f55f938465a7e0b5772ebe16aab9d

    • SHA256

      0c2b513e363661f0be0979326dbd243340a10a57b2a533cd0f458cc306a251ce

    • SHA512

      5724a4694c09b4c31989caa4c9b8807d8c976a02c91e145a0b14ef412800b9509447f36dfe94feb186c4195057dde8a89e1e2b798d36d11767b9f72e7b5804e8

    • SSDEEP

      3072:oTngsxpsolJiMbfUM5mQ1+Y03qL7fZjLs3a2ACZaxaYLdViQ7aWVbqDqudD4lxsc:b/Srz

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks