General

  • Target

    8f2f3fea2f370ae2d84486d6cfc17335_JaffaCakes118

  • Size

    810KB

  • Sample

    240812-sfnnza1blb

  • MD5

    8f2f3fea2f370ae2d84486d6cfc17335

  • SHA1

    84fa03f9011f9f6779e17985882a6eb90d52bb03

  • SHA256

    f457fa6cf478e07a84a40ba71502f9f0291ab7dab1f74fb054f2f165e318385c

  • SHA512

    b21706a92ebcfb8c16f9277bdb194193f68197e326ca9735fd138cc6ce00ccddd4d440b4b464ab1d38e5c9c53e62e756d146fa4cad62eba4892f4d8a1cb8534f

  • SSDEEP

    24576:n////ccuzaEDe7rFgXeafSExixMFgD/VD:RWErFmeaKaFgDN

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

maxime.zapto.org:1600

192.168.1.16:1600

Mutex

DC_MUTEX-SKMAQFL

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    tGsA4xhaalKs

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      8f2f3fea2f370ae2d84486d6cfc17335_JaffaCakes118

    • Size

      810KB

    • MD5

      8f2f3fea2f370ae2d84486d6cfc17335

    • SHA1

      84fa03f9011f9f6779e17985882a6eb90d52bb03

    • SHA256

      f457fa6cf478e07a84a40ba71502f9f0291ab7dab1f74fb054f2f165e318385c

    • SHA512

      b21706a92ebcfb8c16f9277bdb194193f68197e326ca9735fd138cc6ce00ccddd4d440b4b464ab1d38e5c9c53e62e756d146fa4cad62eba4892f4d8a1cb8534f

    • SSDEEP

      24576:n////ccuzaEDe7rFgXeafSExixMFgD/VD:RWErFmeaKaFgDN

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks