General

  • Target

    b19eda147b532b40f1d44c452644760d_JaffaCakes118

  • Size

    933KB

  • Sample

    241129-q2c39asren

  • MD5

    b19eda147b532b40f1d44c452644760d

  • SHA1

    d0d43ca58a94af46c4eb0f2f8afcc37b455ed8c8

  • SHA256

    f885db8ff4beeb0de5ee6cf22eb6f87890c60496b9fb9fb2d5b5dce4ce4060d4

  • SHA512

    a96a1fe4750e289b0981a88972ce349c99d78f169aaf59966e31fc53a3e448fc850849f092756af4cb21770b9e92d776338a3568101d8ad5cfae79c34c5e4dfa

  • SSDEEP

    24576:f1WgdwU0MlRDXoGqgnZ58wkZ1B+QtiE8ZRXbXFpF6AcInqti0:9dwUnu8Z56wbE8nXbXFn6AcWui0

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

95.133.3.230:1604

Mutex

DC_MUTEX-D1XJ1Z3

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    UprUuFRJwerw

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      b19eda147b532b40f1d44c452644760d_JaffaCakes118

    • Size

      933KB

    • MD5

      b19eda147b532b40f1d44c452644760d

    • SHA1

      d0d43ca58a94af46c4eb0f2f8afcc37b455ed8c8

    • SHA256

      f885db8ff4beeb0de5ee6cf22eb6f87890c60496b9fb9fb2d5b5dce4ce4060d4

    • SHA512

      a96a1fe4750e289b0981a88972ce349c99d78f169aaf59966e31fc53a3e448fc850849f092756af4cb21770b9e92d776338a3568101d8ad5cfae79c34c5e4dfa

    • SSDEEP

      24576:f1WgdwU0MlRDXoGqgnZ58wkZ1B+QtiE8ZRXbXFpF6AcInqti0:9dwUnu8Z56wbE8nXbXFn6AcWui0

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks