General

  • Target

    dcddac42de4c2fc0364b9a343bf1a344_JaffaCakes118

  • Size

    253KB

  • Sample

    241210-ea9scssqaw

  • MD5

    dcddac42de4c2fc0364b9a343bf1a344

  • SHA1

    3f328948addf10670e26eb2e400df752c2256c6a

  • SHA256

    e77f7308e33f65c60c4583403757b922f60c2b652be673c6f05d3bb8e5cbaebc

  • SHA512

    5b10125fd3ef4a4a81458cd5d41fdf62bab0b45ec36219be8040a071dca9da3db09f463548902fb1fc55445df3b963f44d021119b36bf5dd32dceba2ef407fb4

  • SSDEEP

    6144:7D7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZ:7l8E4w5huat7UovONzbXw

Malware Config

Extracted

Family

darkcomet

Botnet

Nuevo

C2

87.221.49.179:1604

stealht.no-ip.biz:1604

192.168.1.129:1604

127.0.0.1:1604

Mutex

DC_MUTEX-SVYNZJ4

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    bYFqC5Pe6j8A

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroSound

Targets

    • Target

      dcddac42de4c2fc0364b9a343bf1a344_JaffaCakes118

    • Size

      253KB

    • MD5

      dcddac42de4c2fc0364b9a343bf1a344

    • SHA1

      3f328948addf10670e26eb2e400df752c2256c6a

    • SHA256

      e77f7308e33f65c60c4583403757b922f60c2b652be673c6f05d3bb8e5cbaebc

    • SHA512

      5b10125fd3ef4a4a81458cd5d41fdf62bab0b45ec36219be8040a071dca9da3db09f463548902fb1fc55445df3b963f44d021119b36bf5dd32dceba2ef407fb4

    • SSDEEP

      6144:7D7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZ:7l8E4w5huat7UovONzbXw

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks