General

  • Target

    f6d672794b8b4c02f5c671407955aa24_JaffaCakes118

  • Size

    890KB

  • Sample

    241216-crqdyaynf1

  • MD5

    f6d672794b8b4c02f5c671407955aa24

  • SHA1

    aa3261f54f574fd476129562af354f8c3631c59b

  • SHA256

    3ca01a8c0bb55c92e88f57640dea04c8a8e6419721e1536bcc5a13947645c08b

  • SHA512

    4a6eefcc4fd84bca4ad049d30b5c8edbfd7f6a1a3cef101c64afa3b7e06b1eeb06e0ad9468bf852a84898e66cd268d5b2da3f9270e846a513a8f6e3086f94d25

  • SSDEEP

    12288:TNdxlP9OqtG9B+2jOXUrxfyllxjfsrZwv3VBmk4NLecPqVB1oxGSIrbdd+6tCSWU:TNdxGscqlTv3VArLyB1IGSK

Malware Config

Extracted

Family

darkcomet

Botnet

New Test

C2

meteor63.no-ip.org:1604

Mutex

DC_MUTEX-XR5ADYH

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    GVYsL3brnVb8

  • install

    true

  • offline_keylogger

    false

  • password

    12345

  • persistence

    true

  • reg_key

    explorer

Targets

    • Target

      f6d672794b8b4c02f5c671407955aa24_JaffaCakes118

    • Size

      890KB

    • MD5

      f6d672794b8b4c02f5c671407955aa24

    • SHA1

      aa3261f54f574fd476129562af354f8c3631c59b

    • SHA256

      3ca01a8c0bb55c92e88f57640dea04c8a8e6419721e1536bcc5a13947645c08b

    • SHA512

      4a6eefcc4fd84bca4ad049d30b5c8edbfd7f6a1a3cef101c64afa3b7e06b1eeb06e0ad9468bf852a84898e66cd268d5b2da3f9270e846a513a8f6e3086f94d25

    • SSDEEP

      12288:TNdxlP9OqtG9B+2jOXUrxfyllxjfsrZwv3VBmk4NLecPqVB1oxGSIrbdd+6tCSWU:TNdxGscqlTv3VArLyB1IGSK

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks