General

  • Target

    9aad53c1816a10d9875822406fba4ad6_JaffaCakes118

  • Size

    3.5MB

  • Sample

    240815-tgde3azgph

  • MD5

    9aad53c1816a10d9875822406fba4ad6

  • SHA1

    48249d79171c92eeff1c12eca76e89768f98aaad

  • SHA256

    0e9372b0f783ab0f317fa2922b3441e823fd392c18373fd5f6adeadcd44645f7

  • SHA512

    c34c65a0687bd46620e74d20271c353bff1f6bbc80df25bfa2a1fe5aed48a95f4e79fe9594ae37572e5d71485e49b014e6b237e9c6843e11b7887b6c588bcad3

  • SSDEEP

    98304:pvT2uWHkuIBKGMzkj455yEjYOpCmtyFq1:pvToHkuIIj04GE1p3kF

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

love88.no-ip.biz:1604

Mutex

DC_MUTEX-5TQYMKP

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    0gYS03wEsF8t

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      9aad53c1816a10d9875822406fba4ad6_JaffaCakes118

    • Size

      3.5MB

    • MD5

      9aad53c1816a10d9875822406fba4ad6

    • SHA1

      48249d79171c92eeff1c12eca76e89768f98aaad

    • SHA256

      0e9372b0f783ab0f317fa2922b3441e823fd392c18373fd5f6adeadcd44645f7

    • SHA512

      c34c65a0687bd46620e74d20271c353bff1f6bbc80df25bfa2a1fe5aed48a95f4e79fe9594ae37572e5d71485e49b014e6b237e9c6843e11b7887b6c588bcad3

    • SSDEEP

      98304:pvT2uWHkuIBKGMzkj455yEjYOpCmtyFq1:pvToHkuIIj04GE1p3kF

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks