General

  • Target

    55ef299dc3a3c80f25554923566ac6a0_JaffaCakes118

  • Size

    964KB

  • Sample

    241018-g5e8casbje

  • MD5

    55ef299dc3a3c80f25554923566ac6a0

  • SHA1

    55313910c1e6c2c8b9aaf718032abec535827f7b

  • SHA256

    b8fdffbc9feea0a09a486ef190122efa7defd7a41bf3e3dacdc6ac6c4f5d38d9

  • SHA512

    ecb41fa1838b88205ea28514d2483044e36057a67743e712f8653497e5e24fe56ac9662fd2b05de634eaa945d639cc29e516323e906aff67725420d9800fc557

  • SSDEEP

    24576:O/9tT24rAjDLG50Xot0fvF+2rGVvELMR2mA6O:OrUL4taI2O52xL

Malware Config

Extracted

Family

darkcomet

Botnet

FUD Crypt

C2

wcrat2.no-ip.org:201

Mutex

DC_MUTEX-F9SVRHH

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    j6CuqwUwAD5D

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    msdcsc.exe

Targets

    • Target

      55ef299dc3a3c80f25554923566ac6a0_JaffaCakes118

    • Size

      964KB

    • MD5

      55ef299dc3a3c80f25554923566ac6a0

    • SHA1

      55313910c1e6c2c8b9aaf718032abec535827f7b

    • SHA256

      b8fdffbc9feea0a09a486ef190122efa7defd7a41bf3e3dacdc6ac6c4f5d38d9

    • SHA512

      ecb41fa1838b88205ea28514d2483044e36057a67743e712f8653497e5e24fe56ac9662fd2b05de634eaa945d639cc29e516323e906aff67725420d9800fc557

    • SSDEEP

      24576:O/9tT24rAjDLG50Xot0fvF+2rGVvELMR2mA6O:OrUL4taI2O52xL

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks