General

  • Target

    952c5a792347039a153342876e109df9_JaffaCakes118

  • Size

    852KB

  • Sample

    240814-je9qdavemr

  • MD5

    952c5a792347039a153342876e109df9

  • SHA1

    7c0848d97001d0f7cdcc6f3b2b0845d0d7a22395

  • SHA256

    2d4bf941335e90e9dfbfa59ce34db08f44cefac45917ccf2b352f196f2f85967

  • SHA512

    4f49f08f3d18f28adcebab78add0e193bc500a57e86cbfc1ec179980403bda1f02af0bc235dbb4e01c2f3bf6e86bb41e5c15dacf510492862410ec466fe6bb8d

  • SSDEEP

    12288:vl8E4w5huat7UovONzbXwZgb8P1ln7Ckacbkd/U42ZOg84OoGNCFvDXzY:bdhHwNzbXM08P1l7CkapD2EhXN0vDj

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

dzspy.no-ip.info:1604

Mutex

DC_MUTEX-LGVVJ5D

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Hia0SoRiyauA

  • install

    true

  • offline_keylogger

    true

  • password

    azerty456

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      952c5a792347039a153342876e109df9_JaffaCakes118

    • Size

      852KB

    • MD5

      952c5a792347039a153342876e109df9

    • SHA1

      7c0848d97001d0f7cdcc6f3b2b0845d0d7a22395

    • SHA256

      2d4bf941335e90e9dfbfa59ce34db08f44cefac45917ccf2b352f196f2f85967

    • SHA512

      4f49f08f3d18f28adcebab78add0e193bc500a57e86cbfc1ec179980403bda1f02af0bc235dbb4e01c2f3bf6e86bb41e5c15dacf510492862410ec466fe6bb8d

    • SSDEEP

      12288:vl8E4w5huat7UovONzbXwZgb8P1ln7Ckacbkd/U42ZOg84OoGNCFvDXzY:bdhHwNzbXM08P1l7CkapD2EhXN0vDj

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks