General

  • Target

    e7b73ce97bfba7fb0f034b73f418c95d_JaffaCakes118

  • Size

    251KB

  • Sample

    241212-w6kxjssphz

  • MD5

    e7b73ce97bfba7fb0f034b73f418c95d

  • SHA1

    29df206f5e1a8f929518edb2d636b07638a71e9d

  • SHA256

    05dd8e51fa3d08ac6d5c4bb6c8692bbb5991624dd625c4dbb8c40773634a5bc4

  • SHA512

    d6512d7d2bd351bddea9ca5a71d1270752da43e0b754a01664ddb34e61c1df5e68a7f929badd370a9bcc2cf6e54657a706f68f9ba33ef613bf4911a95bae15b6

  • SSDEEP

    6144:GcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37c:GcW7KEZlPzCy37c

Malware Config

Extracted

Family

darkcomet

Botnet

Sandbox

C2

sammich.zapto.org:20000

127.0.0.1:20000

Mutex

DC_MUTEX-9M2A57V

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    EeioSF9CjmMk

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      e7b73ce97bfba7fb0f034b73f418c95d_JaffaCakes118

    • Size

      251KB

    • MD5

      e7b73ce97bfba7fb0f034b73f418c95d

    • SHA1

      29df206f5e1a8f929518edb2d636b07638a71e9d

    • SHA256

      05dd8e51fa3d08ac6d5c4bb6c8692bbb5991624dd625c4dbb8c40773634a5bc4

    • SHA512

      d6512d7d2bd351bddea9ca5a71d1270752da43e0b754a01664ddb34e61c1df5e68a7f929badd370a9bcc2cf6e54657a706f68f9ba33ef613bf4911a95bae15b6

    • SSDEEP

      6144:GcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37c:GcW7KEZlPzCy37c

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks