General

  • Target

    9c446de6d14b63ac198ce7b26cbe34a0_JaffaCakes118

  • Size

    937KB

  • Sample

    240816-ayjtmavdlf

  • MD5

    9c446de6d14b63ac198ce7b26cbe34a0

  • SHA1

    cd5d67d7aed102e26909be9780bd4cd7a80d57a0

  • SHA256

    b77e18b1acc022824f5a3056e141918e57946d9cda62ec4c8bb2434c1d5dd6cb

  • SHA512

    84ad1d8b8417ce361b6d78a300a54026491a894bb480cf162a003afea53f055cebd54bf8fb1e43d0b1b3f1e267302e0dd85b4a9a496446c6c40f907a854a51f1

  • SSDEEP

    24576:vnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfpD9bNCfL:PELbVMTrOq49OL

Malware Config

Extracted

Family

darkcomet

Botnet

MAIN

C2

aditi1rajan.zapto.org:100

Mutex

DC_MUTEX-94XYLM2

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    1pNxuWVLzDfY

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Extracted

Family

latentbot

C2

aditi1rajan.zapto.org

Targets

    • Target

      9c446de6d14b63ac198ce7b26cbe34a0_JaffaCakes118

    • Size

      937KB

    • MD5

      9c446de6d14b63ac198ce7b26cbe34a0

    • SHA1

      cd5d67d7aed102e26909be9780bd4cd7a80d57a0

    • SHA256

      b77e18b1acc022824f5a3056e141918e57946d9cda62ec4c8bb2434c1d5dd6cb

    • SHA512

      84ad1d8b8417ce361b6d78a300a54026491a894bb480cf162a003afea53f055cebd54bf8fb1e43d0b1b3f1e267302e0dd85b4a9a496446c6c40f907a854a51f1

    • SSDEEP

      24576:vnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfpD9bNCfL:PELbVMTrOq49OL

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks