General

  • Target

    f30ed8f5df2593f3c1e4cc6a510d227c_JaffaCakes118

  • Size

    232KB

  • Sample

    241215-jxmzbszncm

  • MD5

    f30ed8f5df2593f3c1e4cc6a510d227c

  • SHA1

    3238ef0a8d00d8e0dd2183692d22eef5a5335b16

  • SHA256

    a378990bcc456c90a9e41ec8b2afd5d79bb650f0950666d4764dd3b59fa2bb06

  • SHA512

    9076ece426086690df6d32d2a151fc1fd922fb1eca72bebb1e09d8cd271ccd247064cde2975db0a6dac53060a98b0f0761fd7dc913ddacc65c8e6dd9be75b570

  • SSDEEP

    6144:6jFy93LU92VxOtVflFud4TnxcpPTASCmqMorHwMhoS:aFy9bPQZlFjrG0ZmYbw0oS

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

sayah.zapto.org:267

Mutex

DCMIN_MUTEX-LW8HYLF

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    409jcp2mUa9p

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    Face_upda

Targets

    • Target

      f30ed8f5df2593f3c1e4cc6a510d227c_JaffaCakes118

    • Size

      232KB

    • MD5

      f30ed8f5df2593f3c1e4cc6a510d227c

    • SHA1

      3238ef0a8d00d8e0dd2183692d22eef5a5335b16

    • SHA256

      a378990bcc456c90a9e41ec8b2afd5d79bb650f0950666d4764dd3b59fa2bb06

    • SHA512

      9076ece426086690df6d32d2a151fc1fd922fb1eca72bebb1e09d8cd271ccd247064cde2975db0a6dac53060a98b0f0761fd7dc913ddacc65c8e6dd9be75b570

    • SSDEEP

      6144:6jFy93LU92VxOtVflFud4TnxcpPTASCmqMorHwMhoS:aFy9bPQZlFjrG0ZmYbw0oS

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks