General

  • Target

    00dedf9c43fde32d6f9fbbde606d768c_JaffaCakes118

  • Size

    658KB

  • Sample

    240930-mk1ansvcpf

  • MD5

    00dedf9c43fde32d6f9fbbde606d768c

  • SHA1

    219472ef5a94f652b967296d9c073f76a3e71b51

  • SHA256

    405fda89c000e10b27c126a5ffb4e1d1ce6a4dd80a3f5a2da1fb0a8ddadc7fc2

  • SHA512

    c39518ad3e4ced0caade50177db2705a2801a658afd453e730b09b7847cd0520136d0ac8320e67a86854d99b8ca3644e74a120e5aba2f7d1d3dddb87600ea892

  • SSDEEP

    12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hK:+Z1xuVVjfFoynPaVBUR8f+kN10EB4

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

adnan.no-ip.org:1604

Mutex

DCMIN_MUTEX-WWB71BG

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    c0bAVg01suzC

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    dvc

Targets

    • Target

      00dedf9c43fde32d6f9fbbde606d768c_JaffaCakes118

    • Size

      658KB

    • MD5

      00dedf9c43fde32d6f9fbbde606d768c

    • SHA1

      219472ef5a94f652b967296d9c073f76a3e71b51

    • SHA256

      405fda89c000e10b27c126a5ffb4e1d1ce6a4dd80a3f5a2da1fb0a8ddadc7fc2

    • SHA512

      c39518ad3e4ced0caade50177db2705a2801a658afd453e730b09b7847cd0520136d0ac8320e67a86854d99b8ca3644e74a120e5aba2f7d1d3dddb87600ea892

    • SSDEEP

      12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hK:+Z1xuVVjfFoynPaVBUR8f+kN10EB4

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks