General

  • Target

    bfg.scr

  • Size

    659KB

  • Sample

    241224-ttkd5ssjbq

  • MD5

    34a9decaa4864e2007b841e3b1263761

  • SHA1

    2b69dee1e3a261f75d55221e8117c8a4e044483b

  • SHA256

    bef2ef2eb5e55984a4a647e91058b4f2012eb75cfbf7c69cacb33ade7e7f74cd

  • SHA512

    5c0691f744e2bbeaecca32e5e4f10076ed291672acdb58f0658bd1baff28ac3aa9265fdeeef43c8c383ba4b77ef23560c22e7a2afc1b8a7c95edf4b0ccbcf2f8

  • SSDEEP

    12288:69HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hT:2Z1xuVVjfFoynPaVBUR8f+kN10EBd

Malware Config

Extracted

Family

darkcomet

Botnet

Guest1f63242m

C2

rose324-33082.portmap.host:33082

Mutex

DC_MUTEX-E28WFKY

Attributes
  • InstallPath

    MSDCSC\msdcsjc.exe

  • gencode

    Ee0E6MjQSS7Q

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    reahltekaudio

Targets

    • Target

      bfg.scr

    • Size

      659KB

    • MD5

      34a9decaa4864e2007b841e3b1263761

    • SHA1

      2b69dee1e3a261f75d55221e8117c8a4e044483b

    • SHA256

      bef2ef2eb5e55984a4a647e91058b4f2012eb75cfbf7c69cacb33ade7e7f74cd

    • SHA512

      5c0691f744e2bbeaecca32e5e4f10076ed291672acdb58f0658bd1baff28ac3aa9265fdeeef43c8c383ba4b77ef23560c22e7a2afc1b8a7c95edf4b0ccbcf2f8

    • SSDEEP

      12288:69HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hT:2Z1xuVVjfFoynPaVBUR8f+kN10EBd

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks