General

  • Target

    c940561721d0f3ba4ecdc6f75254d860_JaffaCakes118

  • Size

    621KB

  • Sample

    241205-y2zagszpaw

  • MD5

    c940561721d0f3ba4ecdc6f75254d860

  • SHA1

    e76448bc9374bca193ce44e7c8b45a97f99c586b

  • SHA256

    7834fcbf6afbd23b8c94d2374b1ff4f07576110f5a06ee62c96b9c745df3dbed

  • SHA512

    1a513a17810602990dc1f84e51958cdb874450b889343c5f2a5a0a643ccd0e198cf1a22aaebf99b9b83a49295cbf7164023bb305979280b32245d53af0a51d4b

  • SSDEEP

    12288:fYQTKiAEfn2fQ2xDtiKU/MZEfzadOh0LvxZYDiI5tYMgz2R:VO4Yi6EfzaYh0Twj5ufzG

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

davaydavay123.no-ip.org:1610

Mutex

DC_MUTEX-JZVHV5Z

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    lV69QiAKlk5T

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      c940561721d0f3ba4ecdc6f75254d860_JaffaCakes118

    • Size

      621KB

    • MD5

      c940561721d0f3ba4ecdc6f75254d860

    • SHA1

      e76448bc9374bca193ce44e7c8b45a97f99c586b

    • SHA256

      7834fcbf6afbd23b8c94d2374b1ff4f07576110f5a06ee62c96b9c745df3dbed

    • SHA512

      1a513a17810602990dc1f84e51958cdb874450b889343c5f2a5a0a643ccd0e198cf1a22aaebf99b9b83a49295cbf7164023bb305979280b32245d53af0a51d4b

    • SSDEEP

      12288:fYQTKiAEfn2fQ2xDtiKU/MZEfzadOh0LvxZYDiI5tYMgz2R:VO4Yi6EfzaYh0Twj5ufzG

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks