General

  • Target

    JaffaCakes118_1e436c0c825c20cd124da22141eabed4

  • Size

    1.2MB

  • Sample

    250223-d77htsxqw7

  • MD5

    1e436c0c825c20cd124da22141eabed4

  • SHA1

    4fcffcf7f1283364d9b890733bae5341f3328c29

  • SHA256

    1557ad8e05d89095afbe21e342c21050c3fe54bd100bd3f00a64f3b1c6f63313

  • SHA512

    bd0c4c8e065ea03c8ce3a0bbb14851eec74dd9666d774c9f369353080a242ab84f4feeb906950c406d53bee81de24a631958706a0e1db832747ca5bdb4e93c98

  • SSDEEP

    24576:imYLKyovOTPoWMP3EqX3YiP9xsM3qgQCbWyOPK/cRgOnmq9g6iB36rKX63:imzf7EuYVM3qdyrcOU7m6KlA

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

mdk45.zapto.org:1604

Mutex

DC_MUTEX-MSP51MA

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Ntgsqahc793H

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

rc4.plain

Targets

    • Target

      JaffaCakes118_1e436c0c825c20cd124da22141eabed4

    • Size

      1.2MB

    • MD5

      1e436c0c825c20cd124da22141eabed4

    • SHA1

      4fcffcf7f1283364d9b890733bae5341f3328c29

    • SHA256

      1557ad8e05d89095afbe21e342c21050c3fe54bd100bd3f00a64f3b1c6f63313

    • SHA512

      bd0c4c8e065ea03c8ce3a0bbb14851eec74dd9666d774c9f369353080a242ab84f4feeb906950c406d53bee81de24a631958706a0e1db832747ca5bdb4e93c98

    • SSDEEP

      24576:imYLKyovOTPoWMP3EqX3YiP9xsM3qgQCbWyOPK/cRgOnmq9g6iB36rKX63:imzf7EuYVM3qdyrcOU7m6KlA

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks