General

  • Target

    e4c92e4190580442c367f8a3f7ba0cbf_JaffaCakes118

  • Size

    504KB

  • Sample

    241212-fke66s1nhw

  • MD5

    e4c92e4190580442c367f8a3f7ba0cbf

  • SHA1

    875f9d4228cbc657a275a8e1d38ea8e9f25b692c

  • SHA256

    864ca9e668afd622aa7e36429fec7a85cdaafd1045e1a1ad85c43e4f8ce9f84c

  • SHA512

    23f71d872fde0f01b0d8bc9ddbcb96a08f1c121eae0b6060fb756632143e145ece16b00cff6e544429b3455a34d71435251399ee8b54c83c23b72719ceddfdc8

  • SSDEEP

    12288:NUIENsXWcNWxQA5II7X6Ag8vC5euujNBq0FaiCGMRBLMj:NU+XWcN6+I7X6AgFeuuBw0EZo

Malware Config

Extracted

Family

darkcomet

Botnet

fa

C2

mahmodemos.no-ip.org:1604

Mutex

DC_MUTEX-6ZSL9GY

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    60BQkPtZSaCq

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      e4c92e4190580442c367f8a3f7ba0cbf_JaffaCakes118

    • Size

      504KB

    • MD5

      e4c92e4190580442c367f8a3f7ba0cbf

    • SHA1

      875f9d4228cbc657a275a8e1d38ea8e9f25b692c

    • SHA256

      864ca9e668afd622aa7e36429fec7a85cdaafd1045e1a1ad85c43e4f8ce9f84c

    • SHA512

      23f71d872fde0f01b0d8bc9ddbcb96a08f1c121eae0b6060fb756632143e145ece16b00cff6e544429b3455a34d71435251399ee8b54c83c23b72719ceddfdc8

    • SSDEEP

      12288:NUIENsXWcNWxQA5II7X6Ag8vC5euujNBq0FaiCGMRBLMj:NU+XWcN6+I7X6AgFeuuBw0EZo

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks