General

  • Target

    f9fa90288430f91833addc4ce54347a0_JaffaCakes118

  • Size

    328KB

  • Sample

    241218-ednpastjhp

  • MD5

    f9fa90288430f91833addc4ce54347a0

  • SHA1

    492120ab7a0645c6d742acb56d303999c008c475

  • SHA256

    66bf652ccd1e570c51dd1d869074823875694d1e57ab4ee6ed3da18135e3ace7

  • SHA512

    65e934356c43bd2518fbf51c9ff9f15a502332984d2d41feef62576e2a29e8d4d21eb4180d3c15aa96ab199f38e3f78204ffbfd62f4a4a5cfd9a286833ed7632

  • SSDEEP

    6144:zmyc5Y52bekxSO8y9GsfGU3gLahNiKZWAqfuexh9rYsWP89O1:zm+on9bfVhNQAwxjWP8Q1

Malware Config

Extracted

Family

darkcomet

Botnet

S4League hacked

C2

127.0.0.1:1604

81.14.31.39:1604

darkhackgael.no-ip.info:1604

Mutex

DC_MUTEX-VY74S8K

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    S2kPWNi5ysCM

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Targets

    • Target

      f9fa90288430f91833addc4ce54347a0_JaffaCakes118

    • Size

      328KB

    • MD5

      f9fa90288430f91833addc4ce54347a0

    • SHA1

      492120ab7a0645c6d742acb56d303999c008c475

    • SHA256

      66bf652ccd1e570c51dd1d869074823875694d1e57ab4ee6ed3da18135e3ace7

    • SHA512

      65e934356c43bd2518fbf51c9ff9f15a502332984d2d41feef62576e2a29e8d4d21eb4180d3c15aa96ab199f38e3f78204ffbfd62f4a4a5cfd9a286833ed7632

    • SSDEEP

      6144:zmyc5Y52bekxSO8y9GsfGU3gLahNiKZWAqfuexh9rYsWP89O1:zm+on9bfVhNQAwxjWP8Q1

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks