General

  • Target

    f38dd1bc726b59e23dfaac331981349f_JaffaCakes118

  • Size

    1.4MB

  • Sample

    241215-md3r8a1lhw

  • MD5

    f38dd1bc726b59e23dfaac331981349f

  • SHA1

    6e9a25eeff4f7e6e3e9b1ed4314eff886433aff9

  • SHA256

    08057b729ad21b690a8a7130c81684b7635beb9f692520a081c926b21d3cbca3

  • SHA512

    a17d5a0e912bc0bca35679c20ddd908c3e8a69705fc1096ac497178d396b23ad94d72de66ece1098968c7a00e1a1ac0bd853dd33e93c6da51436b6b0cd905502

  • SSDEEP

    24576:0aHMv6CorjqnyC8llDnsHDumtkowIN/Vfy2t+G5ezJ52bLlL:01vqjdC8rDsH7tkowQtq2t+GQ4lL

Malware Config

Extracted

Family

darkcomet

Botnet

M&M

C2

nikagogichaishvili.no-ip.info:1604

Mutex

DC_MUTEX-98H0DN8

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    nn4atqrKN3Pk

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    svchost

Targets

    • Target

      f38dd1bc726b59e23dfaac331981349f_JaffaCakes118

    • Size

      1.4MB

    • MD5

      f38dd1bc726b59e23dfaac331981349f

    • SHA1

      6e9a25eeff4f7e6e3e9b1ed4314eff886433aff9

    • SHA256

      08057b729ad21b690a8a7130c81684b7635beb9f692520a081c926b21d3cbca3

    • SHA512

      a17d5a0e912bc0bca35679c20ddd908c3e8a69705fc1096ac497178d396b23ad94d72de66ece1098968c7a00e1a1ac0bd853dd33e93c6da51436b6b0cd905502

    • SSDEEP

      24576:0aHMv6CorjqnyC8llDnsHDumtkowIN/Vfy2t+G5ezJ52bLlL:01vqjdC8rDsH7tkowQtq2t+GQ4lL

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks