General

  • Target

    d3aa661e379ab45d42e977fe6440320d_JaffaCakes118

  • Size

    1.0MB

  • Sample

    241207-z6xswstqgx

  • MD5

    d3aa661e379ab45d42e977fe6440320d

  • SHA1

    d3033071d5e7e099eb1292ac1c29a1ccf9ddc29d

  • SHA256

    596742e436c3a63ade42e1f91bb00364a21a3ed3f742122dbe0368280e8f02e9

  • SHA512

    2bb2a2678dfd01b47c9617f9d72e9eba589fbebdc074019e0e8776f6575441ca2971252df447648f2c423a0630c49a19a4852e430288e20e763f12cf97ae83a1

  • SSDEEP

    24576:n+t551zGlKYkNmyASIHZmHmHMcbG3tbxp1aL9g:n+t55dGimyASIoHmsfbxpE

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

68.194.136.134:1604

Mutex

DC_MUTEX-G293ZDW

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    qG1EhGAmh8HK

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      d3aa661e379ab45d42e977fe6440320d_JaffaCakes118

    • Size

      1.0MB

    • MD5

      d3aa661e379ab45d42e977fe6440320d

    • SHA1

      d3033071d5e7e099eb1292ac1c29a1ccf9ddc29d

    • SHA256

      596742e436c3a63ade42e1f91bb00364a21a3ed3f742122dbe0368280e8f02e9

    • SHA512

      2bb2a2678dfd01b47c9617f9d72e9eba589fbebdc074019e0e8776f6575441ca2971252df447648f2c423a0630c49a19a4852e430288e20e763f12cf97ae83a1

    • SSDEEP

      24576:n+t551zGlKYkNmyASIHZmHmHMcbG3tbxp1aL9g:n+t55dGimyASIoHmsfbxpE

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks