General

  • Target

    b4cce273471670645904d27d781edbc7_JaffaCakes118

  • Size

    935KB

  • Sample

    241130-e64wzssnfy

  • MD5

    b4cce273471670645904d27d781edbc7

  • SHA1

    7a569c50fc13f4833fad070d9c47a6b8417fceea

  • SHA256

    de2cb68fa4b68d9d472ed823ac7124e5c9d0a8232a7407ac710547a26af38599

  • SHA512

    1e104a8218b352de7d2f0d787c8e53fccb683d6a7fc9118a2c10136463c83bd86ecce97b21d557d48868918a0bd1fb8bc749cd6691c869fc806548a1926a9774

  • SSDEEP

    24576:ZCNZK65lu9ye0NwPR93/ynv54TeeC4MC0:w265l+y8f36nvSF

Malware Config

Extracted

Family

darkcomet

Botnet

möpn

C2

194.166.90.128:1604

Mutex

DC_MUTEX-WAZ1JK5

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    82L5220nX277

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      b4cce273471670645904d27d781edbc7_JaffaCakes118

    • Size

      935KB

    • MD5

      b4cce273471670645904d27d781edbc7

    • SHA1

      7a569c50fc13f4833fad070d9c47a6b8417fceea

    • SHA256

      de2cb68fa4b68d9d472ed823ac7124e5c9d0a8232a7407ac710547a26af38599

    • SHA512

      1e104a8218b352de7d2f0d787c8e53fccb683d6a7fc9118a2c10136463c83bd86ecce97b21d557d48868918a0bd1fb8bc749cd6691c869fc806548a1926a9774

    • SSDEEP

      24576:ZCNZK65lu9ye0NwPR93/ynv54TeeC4MC0:w265l+y8f36nvSF

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Deletes itself

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks