General

  • Target

    8f843c6cf42e4d4daa1d73f3bfda1394_JaffaCakes118

  • Size

    4.3MB

  • Sample

    240812-vcp4qsvaka

  • MD5

    8f843c6cf42e4d4daa1d73f3bfda1394

  • SHA1

    56cda333385061ea2e992c231be3bfa89749d8ba

  • SHA256

    5066abf8a093430b66f0a52f08aef0bb0d2d1100d098f1e8282e3f63c8f15eac

  • SHA512

    63a5f41a9b072ebf1fc446106576d87f835832c5c9779ffc56f3f11ca46db1db9ab59786036cfbbe004a41d8f26755a46b4338e5b4f19f26136c2148d2b903ce

  • SSDEEP

    98304:XVMn+wM3000DHEMkQkTRSk1Ug+uaVfQ6ab6b+f:X+n+wm0PNkkuahGby

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

cometa.no-ip.info:1604

Mutex

DC_MUTEX-42DMZQ9

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    G2idcVn9ijrC

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      8f843c6cf42e4d4daa1d73f3bfda1394_JaffaCakes118

    • Size

      4.3MB

    • MD5

      8f843c6cf42e4d4daa1d73f3bfda1394

    • SHA1

      56cda333385061ea2e992c231be3bfa89749d8ba

    • SHA256

      5066abf8a093430b66f0a52f08aef0bb0d2d1100d098f1e8282e3f63c8f15eac

    • SHA512

      63a5f41a9b072ebf1fc446106576d87f835832c5c9779ffc56f3f11ca46db1db9ab59786036cfbbe004a41d8f26755a46b4338e5b4f19f26136c2148d2b903ce

    • SSDEEP

      98304:XVMn+wM3000DHEMkQkTRSk1Ug+uaVfQ6ab6b+f:X+n+wm0PNkkuahGby

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks