General

  • Target

    e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118

  • Size

    2.2MB

  • Sample

    241212-3zqyjssjaw

  • MD5

    e8e5c9e651f358d8c24c8f6757f164ed

  • SHA1

    74296bf4fceba6d906055c4fedc51b75f4f99f0d

  • SHA256

    dcff421c7cd4cc77eda4ce513f23ef47cea8784979375ed62a3a78672c590138

  • SHA512

    8605b1b3ecb56450fe1b57aa6a62fc9a18045025b4a1cc7094216da9e86b8c8b19d3f243a8e6a696ec502c80f2837b7350c0f5e0da66014a4d48f0e5784e6c9d

  • SSDEEP

    49152:vYb/OBImCOQewFay6GKEIhfb0wyI9Ko2P4RP:wbCImCOQewFay6GQhfb0FI9KXk

Malware Config

Extracted

Family

darkcomet

Botnet

Novo

C2

tutoriais157.no-ip.org:1604

Mutex

DC_MUTEX-VRFY1RF

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    MlBzybfvaNEy

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      e8e5c9e651f358d8c24c8f6757f164ed_JaffaCakes118

    • Size

      2.2MB

    • MD5

      e8e5c9e651f358d8c24c8f6757f164ed

    • SHA1

      74296bf4fceba6d906055c4fedc51b75f4f99f0d

    • SHA256

      dcff421c7cd4cc77eda4ce513f23ef47cea8784979375ed62a3a78672c590138

    • SHA512

      8605b1b3ecb56450fe1b57aa6a62fc9a18045025b4a1cc7094216da9e86b8c8b19d3f243a8e6a696ec502c80f2837b7350c0f5e0da66014a4d48f0e5784e6c9d

    • SSDEEP

      49152:vYb/OBImCOQewFay6GKEIhfb0wyI9Ko2P4RP:wbCImCOQewFay6GQhfb0FI9KXk

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks