General

  • Target

    8ceb8ac17d21b6a69dcb9dada02fe686_JaffaCakes118

  • Size

    400KB

  • Sample

    240812-cp13na1apj

  • MD5

    8ceb8ac17d21b6a69dcb9dada02fe686

  • SHA1

    37a2fa9c7d278f8c106f087136653f0b9002e976

  • SHA256

    0204b973fd46c6129f9017ecec399412c990c106b4bb23ab045a50a3b274efec

  • SHA512

    0959569df64fbd9dbbb8da7843bb57dea4c3ac3edcc958052e7c132e9e2217b5510e071a98b1cb37bee6498bd09a8b0e7af8f3bc16d24400f1f07519730f722e

  • SSDEEP

    6144:IF7wDQUwmdpdXcXVYO/yx2MK7D9EgHq/t6OFIMdWnpQZh9h4NLLKjc769/cE6:IeDqyKPT7fK6O2Md0QZh9uQjc769k5

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

192.168.1.88:1604

mangerpop.hopto.org:1604

Mutex

DC_MUTEX-5UP3J49

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    roLHG4YvnZgu

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      8ceb8ac17d21b6a69dcb9dada02fe686_JaffaCakes118

    • Size

      400KB

    • MD5

      8ceb8ac17d21b6a69dcb9dada02fe686

    • SHA1

      37a2fa9c7d278f8c106f087136653f0b9002e976

    • SHA256

      0204b973fd46c6129f9017ecec399412c990c106b4bb23ab045a50a3b274efec

    • SHA512

      0959569df64fbd9dbbb8da7843bb57dea4c3ac3edcc958052e7c132e9e2217b5510e071a98b1cb37bee6498bd09a8b0e7af8f3bc16d24400f1f07519730f722e

    • SSDEEP

      6144:IF7wDQUwmdpdXcXVYO/yx2MK7D9EgHq/t6OFIMdWnpQZh9h4NLLKjc769/cE6:IeDqyKPT7fK6O2Md0QZh9uQjc769k5

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks