General

  • Target

    b059b04942a14a27223f4bb9149d8eb0_JaffaCakes118

  • Size

    2.8MB

  • Sample

    241129-ljk9paxrgw

  • MD5

    b059b04942a14a27223f4bb9149d8eb0

  • SHA1

    45ddf1c31abf3aeb85a4f691a4a6569fa4703707

  • SHA256

    438d2ed17d7a6b8e0cb6267072fc2b8bf50c33d1507dc1849e9f1968f3acd287

  • SHA512

    f8711e971d5fb24662ee09ef70451eead70e2e9b3291ce0dadfac0824fd8ea3778fd6cb8991bc25e49c2d057ea256489a5664a606db455eca366ec19b7e865dd

  • SSDEEP

    49152:aELbVMTrOq4qQoJZdiyqcsxWjI9I/KTvUwhq5:a6b+f7QoPjIS/KTMwE

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

kbotdarkorbit.no-ip.org:10

189.186.45.5:10

192.168.1.196:10

Mutex

DC_MUTEX-RK3KJAL

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    CYK1BgXzzXZt

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      b059b04942a14a27223f4bb9149d8eb0_JaffaCakes118

    • Size

      2.8MB

    • MD5

      b059b04942a14a27223f4bb9149d8eb0

    • SHA1

      45ddf1c31abf3aeb85a4f691a4a6569fa4703707

    • SHA256

      438d2ed17d7a6b8e0cb6267072fc2b8bf50c33d1507dc1849e9f1968f3acd287

    • SHA512

      f8711e971d5fb24662ee09ef70451eead70e2e9b3291ce0dadfac0824fd8ea3778fd6cb8991bc25e49c2d057ea256489a5664a606db455eca366ec19b7e865dd

    • SSDEEP

      49152:aELbVMTrOq4qQoJZdiyqcsxWjI9I/KTvUwhq5:a6b+f7QoPjIS/KTMwE

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks