General

  • Target

    a39e406a9096eafa928a424f806c7282_JaffaCakes118

  • Size

    660KB

  • Sample

    241126-xslscsvlht

  • MD5

    a39e406a9096eafa928a424f806c7282

  • SHA1

    1e5ab6834818e098b27c1c0ed616a8456ee40dcc

  • SHA256

    e607408e4c002676eb8c7f1a61f5a2c1d2c52b262ca98f71e5218297ccc96bc1

  • SHA512

    b373670d309f7787b7a64d0db7bacd8bfb4d9695a96c9cc10d190b78ea0c3947954a1dcd4be352eb193a3c377f3c51f34387833d16c0f3b79d4189611a4839b5

  • SSDEEP

    12288:UXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UY:CnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JI

Malware Config

Extracted

Family

darkcomet

Botnet

ByGolge

C2

haybensenin3.zapto.org:1604

Mutex

DC_MUTEX-NXLR9FFS8Z5SQ8W8S5F5T5G5H5Y9Y8Y4H5G2A2S5DQ8W7Z92NNG2YZ1Q

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    MBzeYmsBiawB

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      a39e406a9096eafa928a424f806c7282_JaffaCakes118

    • Size

      660KB

    • MD5

      a39e406a9096eafa928a424f806c7282

    • SHA1

      1e5ab6834818e098b27c1c0ed616a8456ee40dcc

    • SHA256

      e607408e4c002676eb8c7f1a61f5a2c1d2c52b262ca98f71e5218297ccc96bc1

    • SHA512

      b373670d309f7787b7a64d0db7bacd8bfb4d9695a96c9cc10d190b78ea0c3947954a1dcd4be352eb193a3c377f3c51f34387833d16c0f3b79d4189611a4839b5

    • SSDEEP

      12288:UXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UY:CnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JI

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks