General

  • Target

    2c8cd6bf7086f60d67f5a05b9d7be48a_JaffaCakes118

  • Size

    1.2MB

  • Sample

    241009-hcmbmashqd

  • MD5

    2c8cd6bf7086f60d67f5a05b9d7be48a

  • SHA1

    6e50d6d32e174ecf7f2b028a5f966805cf23ce1e

  • SHA256

    996d6fa70b4a483110c82d4cfd22151697a7b658ec380740da13ece41d0c051e

  • SHA512

    e76bfcf6fe140cbc93f7dc5a83c1e8c149231038cba2699b2b951278e770fad49b08e73ee71ec47ded409d61eb43219c83a977372a37b0db351286a8cf32837d

  • SSDEEP

    24576:KPWS1H6NYo3l7Xh56k+PU09dgyUJG4+eLTyy3GvRXrtt5GMPew:pK6NR3VxQTPH9dJwG9eLsRX/BPew

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

imdeniil.no-ip.org:1604

Mutex

DCMIN_MUTEX-XKB8VQP

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    dFbBHEcSRkuB

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Targets

    • Target

      2c8cd6bf7086f60d67f5a05b9d7be48a_JaffaCakes118

    • Size

      1.2MB

    • MD5

      2c8cd6bf7086f60d67f5a05b9d7be48a

    • SHA1

      6e50d6d32e174ecf7f2b028a5f966805cf23ce1e

    • SHA256

      996d6fa70b4a483110c82d4cfd22151697a7b658ec380740da13ece41d0c051e

    • SHA512

      e76bfcf6fe140cbc93f7dc5a83c1e8c149231038cba2699b2b951278e770fad49b08e73ee71ec47ded409d61eb43219c83a977372a37b0db351286a8cf32837d

    • SSDEEP

      24576:KPWS1H6NYo3l7Xh56k+PU09dgyUJG4+eLTyy3GvRXrtt5GMPew:pK6NR3VxQTPH9dJwG9eLsRX/BPew

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks