General

  • Target

    e5b1bb3bb10e1870f622cbc5a49e1e9f_JaffaCakes118

  • Size

    676KB

  • Sample

    241212-k8hz7a1ral

  • MD5

    e5b1bb3bb10e1870f622cbc5a49e1e9f

  • SHA1

    77ace91242caaafebb4478068d064d3cb98f72a5

  • SHA256

    dff1fdf57e443884f73c50c7c3d285e6b752fa923a3601daa3c1ce63331ce4f2

  • SHA512

    a970b3b3625a3385cb0df70fa3b31b383dcc8efdccb9e47f595c9eec1ea87c1817a1fca2f4a9d62a1ef2bccf7031706e7c8935ba81c20d9c7a60ee7691cfde05

  • SSDEEP

    12288:cWRSJugNlxv0W3ZUwbqwpXbtL8LLtBYKuFewpncaXn3IWeK4DYrwjWK8hR/JSUSc:pQcgNTv0CUwbhtLuLYtFFJNeDErdh0Nu

Malware Config

Extracted

Family

darkcomet

Botnet

24/12/2012 1604

C2

158.255.215.83:1700

Mutex

DC_MUTEX-YEWS2Q4

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    3xmvFz3cURTB

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      e5b1bb3bb10e1870f622cbc5a49e1e9f_JaffaCakes118

    • Size

      676KB

    • MD5

      e5b1bb3bb10e1870f622cbc5a49e1e9f

    • SHA1

      77ace91242caaafebb4478068d064d3cb98f72a5

    • SHA256

      dff1fdf57e443884f73c50c7c3d285e6b752fa923a3601daa3c1ce63331ce4f2

    • SHA512

      a970b3b3625a3385cb0df70fa3b31b383dcc8efdccb9e47f595c9eec1ea87c1817a1fca2f4a9d62a1ef2bccf7031706e7c8935ba81c20d9c7a60ee7691cfde05

    • SSDEEP

      12288:cWRSJugNlxv0W3ZUwbqwpXbtL8LLtBYKuFewpncaXn3IWeK4DYrwjWK8hR/JSUSc:pQcgNTv0CUwbhtLuLYtFFJNeDErdh0Nu

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks