General

  • Target

    JaffaCakes118_221dae9bce2731ae80e9b59a698f5f9e

  • Size

    510KB

  • Sample

    250225-f667sayn12

  • MD5

    221dae9bce2731ae80e9b59a698f5f9e

  • SHA1

    e39c57a2ba4c56febf4137b8528ad09e149c1c78

  • SHA256

    5f5219e9c1e803ade040e6f9c5f8e33191e1549964e388a9e42c5885828bcf43

  • SHA512

    e12caf1bd1fa47bbb7f79bce18d5ab0fef1724fba54246b0803548e3c95f5549814ad18d43fb05fef627e5f9b4f22fe5fed0da0b75b04d71a6b3bc056f541d83

  • SSDEEP

    12288:IdJOQ/7zFyoIJvubAgspY2O+JpubhQJbh:KgQ/HP2iU/ehQR

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

zipoto.zapto.org:1604

Mutex

DC_MUTEX-R9AD7D8

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    hUg.0T-RVCMG

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

rc4.plain

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Targets

    • Target

      JaffaCakes118_221dae9bce2731ae80e9b59a698f5f9e

    • Size

      510KB

    • MD5

      221dae9bce2731ae80e9b59a698f5f9e

    • SHA1

      e39c57a2ba4c56febf4137b8528ad09e149c1c78

    • SHA256

      5f5219e9c1e803ade040e6f9c5f8e33191e1549964e388a9e42c5885828bcf43

    • SHA512

      e12caf1bd1fa47bbb7f79bce18d5ab0fef1724fba54246b0803548e3c95f5549814ad18d43fb05fef627e5f9b4f22fe5fed0da0b75b04d71a6b3bc056f541d83

    • SSDEEP

      12288:IdJOQ/7zFyoIJvubAgspY2O+JpubhQJbh:KgQ/HP2iU/ehQR

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks