General

  • Target

    8c90cb0ca8b7277ae3c0edf98f00dbce_JaffaCakes118

  • Size

    498KB

  • Sample

    240812-akn67azhpd

  • MD5

    8c90cb0ca8b7277ae3c0edf98f00dbce

  • SHA1

    6db8e6e929af37af461fd87aeb00ec32ffc8bf7b

  • SHA256

    8af2c0d4c524e4ea108cd55db3d4f004a31a1b7ac6d208f20b00483e9f63d975

  • SHA512

    40c9d0f38a546d3b80453b82bbab9e0e7cc87610c565c200a5b7f68ab412946901a387cdfc764db2b363194e792767ff6868b7fae5a751b875641edc8232c77c

  • SSDEEP

    12288:qBDvl7oYErA5yFyqxyCkmFM16/9CF3R2pfznPdgjhaYjOwHU6U:KFoTrAss0y8FDukj1gVzjOw3U

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

84.72.27.213:1604

Mutex

DC_MUTEX-BJF6JAA

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    PXTVTTGJvgMF

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      8c90cb0ca8b7277ae3c0edf98f00dbce_JaffaCakes118

    • Size

      498KB

    • MD5

      8c90cb0ca8b7277ae3c0edf98f00dbce

    • SHA1

      6db8e6e929af37af461fd87aeb00ec32ffc8bf7b

    • SHA256

      8af2c0d4c524e4ea108cd55db3d4f004a31a1b7ac6d208f20b00483e9f63d975

    • SHA512

      40c9d0f38a546d3b80453b82bbab9e0e7cc87610c565c200a5b7f68ab412946901a387cdfc764db2b363194e792767ff6868b7fae5a751b875641edc8232c77c

    • SSDEEP

      12288:qBDvl7oYErA5yFyqxyCkmFM16/9CF3R2pfznPdgjhaYjOwHU6U:KFoTrAss0y8FDukj1gVzjOw3U

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks