General

  • Target

    JaffaCakes118_9a4238d07b78cedaf9f16693faadaf26e524d37d82989871b7e8875a38c16318

  • Size

    1.1MB

  • Sample

    241222-y1gn2sxpct

  • MD5

    86293673d26bf1147c4d30b788a8daf1

  • SHA1

    113e557deaa3602893bdd50ffb4ac9880cc20d79

  • SHA256

    9a4238d07b78cedaf9f16693faadaf26e524d37d82989871b7e8875a38c16318

  • SHA512

    65a4d09416e6898c18bb91c80c666e47ae57b3a5f0cf4827f9602392a648e1f39984945e0b4706c906af15c06244da1bded9eae92356f95a8b7ec697037759ea

  • SSDEEP

    24576:UGIllGQbztkD3hqAYZg7PEtMJa7Wz9XypI1DWF64xDsFae:7IlN/yDRDDEtMJLNyQWF64eFp

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

dc2012.ddns.net:77

Mutex

DC_MUTEX-F666ELN

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    M472kUGFekzF

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

Targets

    • Target

      new calc.bin

    • Size

      1.1MB

    • MD5

      0878b366dd695cc10da365b40f454062

    • SHA1

      c21f65d76421ff06dab8ada263b5aca971a6d899

    • SHA256

      098aef2de51c227361d72b5607b9ec7fe463d9a185ff5300577e96371c75a69c

    • SHA512

      9b8213a3eea6f7fab26796768812a944539c0d2ea449b1354b51a6e71938d280c66babfd823d483c5faf797b86396680f9072bc12e954c5d32ee9fb16607c279

    • SSDEEP

      24576:RQox/GpVEAIT5XRtEyAPqsw97uN+XmxjeU/+sbG:RQoc45XTEyACt7uNHX/zbG

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks