General

  • Target

    fd1e44d11808ca91a7940d24bf658fcd_JaffaCakes118

  • Size

    659KB

  • Sample

    240928-zmbrbayejh

  • MD5

    fd1e44d11808ca91a7940d24bf658fcd

  • SHA1

    2a59d28f1db6f19200cbb4231e2d28b718bbda55

  • SHA256

    31aef57a9f9140e19af0ccbb0b348a8122f609a4e7f68f987cf4fe3f1ede6ce1

  • SHA512

    9541acdf8794c381573ec1153152e65bb26465022fa549088aceb960449f3282ca718507cb35e197117c0d88466b4cdda0f4a839d34e9054b59576f8e0f34bee

  • SSDEEP

    12288:EX2JVHMRtDaSm3TJvVNvWV5YTsY7tHwbz/htfcoCoK632zb7G/Q0p:Css2Sm39NNv9wY7tHwbzfIoK6Moh

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-7KRY2U5

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    RsiwuiVSWNDE

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Targets

    • Target

      fd1e44d11808ca91a7940d24bf658fcd_JaffaCakes118

    • Size

      659KB

    • MD5

      fd1e44d11808ca91a7940d24bf658fcd

    • SHA1

      2a59d28f1db6f19200cbb4231e2d28b718bbda55

    • SHA256

      31aef57a9f9140e19af0ccbb0b348a8122f609a4e7f68f987cf4fe3f1ede6ce1

    • SHA512

      9541acdf8794c381573ec1153152e65bb26465022fa549088aceb960449f3282ca718507cb35e197117c0d88466b4cdda0f4a839d34e9054b59576f8e0f34bee

    • SSDEEP

      12288:EX2JVHMRtDaSm3TJvVNvWV5YTsY7tHwbz/htfcoCoK632zb7G/Q0p:Css2Sm39NNv9wY7tHwbzfIoK6Moh

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks