General

  • Target

    cf87d7e808faec9cfd1d2dc39a80d634_JaffaCakes118

  • Size

    756KB

  • Sample

    241206-29ccgasrdv

  • MD5

    cf87d7e808faec9cfd1d2dc39a80d634

  • SHA1

    43aa7194671f56326b06df68662994e8c5b2901e

  • SHA256

    f593910c588856c47056520d2edf93ebd4bd9ae9c68205d657aac26276d65e82

  • SHA512

    cb6b840b6b3896133f0a0dda6ee836cab7b9f8ab7e790853340e079db7800636a55285b05701f9c4cc8d68db38d40a8c78c2d28566b5395a767706a1d20b66c4

  • SSDEEP

    12288:C9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hdrzm:uZ1xuVVjfFoynPaVBUR8f+kN10EB3zm

Malware Config

Extracted

Family

darkcomet

Botnet

farcry 3

C2

127.0.0.1:1604

stalker91.no-ip.org:1604

Mutex

DC_MUTEX-E9CMGU0

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    tXYkPC1ntx3C

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      cf87d7e808faec9cfd1d2dc39a80d634_JaffaCakes118

    • Size

      756KB

    • MD5

      cf87d7e808faec9cfd1d2dc39a80d634

    • SHA1

      43aa7194671f56326b06df68662994e8c5b2901e

    • SHA256

      f593910c588856c47056520d2edf93ebd4bd9ae9c68205d657aac26276d65e82

    • SHA512

      cb6b840b6b3896133f0a0dda6ee836cab7b9f8ab7e790853340e079db7800636a55285b05701f9c4cc8d68db38d40a8c78c2d28566b5395a767706a1d20b66c4

    • SSDEEP

      12288:C9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hdrzm:uZ1xuVVjfFoynPaVBUR8f+kN10EB3zm

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies security service

    • Windows security bypass

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks