General

  • Target

    942a036d89adc9c5be8e7b3f5c9539e1_JaffaCakes118

  • Size

    724KB

  • Sample

    240813-wnsvfaybja

  • MD5

    942a036d89adc9c5be8e7b3f5c9539e1

  • SHA1

    dd02be7aee2b4586ecb9c8fc11b4b81e2c504e76

  • SHA256

    ee4e81f41e6e2aa027fad06d0186eb3783445e36043c6f4d6d427526b0c2d717

  • SHA512

    4f640066b909910cbc99440edd7fd7b406c9777c0e6a2d0d732a5173424b95c2e16fca3fe66982813fb8d7176b9823068618de97d33a81c597c794f12b9bb9d8

  • SSDEEP

    12288:jjo5Ef0afX7IIpRVefojv1g3+jps0c53f5hrgxo1u+B:jXf08RJpgu4f4eou

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

mohamedmmk.zapto.org:82

Mutex

DC_MUTEX-L1KB0QQ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    LN0J2LLsllhH

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      942a036d89adc9c5be8e7b3f5c9539e1_JaffaCakes118

    • Size

      724KB

    • MD5

      942a036d89adc9c5be8e7b3f5c9539e1

    • SHA1

      dd02be7aee2b4586ecb9c8fc11b4b81e2c504e76

    • SHA256

      ee4e81f41e6e2aa027fad06d0186eb3783445e36043c6f4d6d427526b0c2d717

    • SHA512

      4f640066b909910cbc99440edd7fd7b406c9777c0e6a2d0d732a5173424b95c2e16fca3fe66982813fb8d7176b9823068618de97d33a81c597c794f12b9bb9d8

    • SSDEEP

      12288:jjo5Ef0afX7IIpRVefojv1g3+jps0c53f5hrgxo1u+B:jXf08RJpgu4f4eou

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks