General

  • Target

    e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118

  • Size

    1.7MB

  • Sample

    241211-qpdh9aymhq

  • MD5

    e1aaadeea3b6a7eb266464759e3015e0

  • SHA1

    b8598cc86990f8037a337d37d815bf6bc2731a4f

  • SHA256

    a56b7626f51392efde61f7badbde40701275e457ee210b22aab17592b9c009a9

  • SHA512

    8b86674e6d410ea4d0dd5e76b584388dcc8aa12880f11e964c18019b289bd651dfe056464448be6d0a90090fdbf39cb32ff9a11f94fb9fd62e9637eb0409c1fb

  • SSDEEP

    12288:BPr07ZEcWwpOYrEAw5bq4RGLeEF7EDG2O2fra7RSRUL7uHDIbntFuisEi6v3DyNq:BjQcbUADuU8iWr9itzwZTEqjQ0EBbtG

Malware Config

Extracted

Family

darkcomet

Botnet

Victim

C2

loldude12345.zapto.org:1604

Mutex

DC_MUTEX-WYV5PKM

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    oiVpUYYaVk85

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118

    • Size

      1.7MB

    • MD5

      e1aaadeea3b6a7eb266464759e3015e0

    • SHA1

      b8598cc86990f8037a337d37d815bf6bc2731a4f

    • SHA256

      a56b7626f51392efde61f7badbde40701275e457ee210b22aab17592b9c009a9

    • SHA512

      8b86674e6d410ea4d0dd5e76b584388dcc8aa12880f11e964c18019b289bd651dfe056464448be6d0a90090fdbf39cb32ff9a11f94fb9fd62e9637eb0409c1fb

    • SSDEEP

      12288:BPr07ZEcWwpOYrEAw5bq4RGLeEF7EDG2O2fra7RSRUL7uHDIbntFuisEi6v3DyNq:BjQcbUADuU8iWr9itzwZTEqjQ0EBbtG

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks