General

  • Target

    JaffaCakes118_3d840bd3645c2e771925f69f01f57d79

  • Size

    662KB

  • Sample

    250302-dsdbfasxhx

  • MD5

    3d840bd3645c2e771925f69f01f57d79

  • SHA1

    6968de7239ecfe40e3abd82cc511a56d522ebcb0

  • SHA256

    3a40dfa06d6cbf1460d577c9702f6a9fcfce8015efab1ae9291631a6aa114121

  • SHA512

    79421ad6f143d46e49a5f2fb123dcadac20277619f5d2454ebc2489758fa9fbc981189dcec35130d7114afd1cf12102d00a33689d690c9a5f7d4dca8aa48894a

  • SSDEEP

    12288:J+oo9XzmJrxpAs4AXJcgj1pQOU65WK1539jlFUl7u7i+wAHo8sY/H9WwH:JK9XKJdeAXj1pQo5WK1oluWLAkYHH

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-6WNCX4P

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    EX6ZMo5JYe6J

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

rc4.plain

Targets

    • Target

      JaffaCakes118_3d840bd3645c2e771925f69f01f57d79

    • Size

      662KB

    • MD5

      3d840bd3645c2e771925f69f01f57d79

    • SHA1

      6968de7239ecfe40e3abd82cc511a56d522ebcb0

    • SHA256

      3a40dfa06d6cbf1460d577c9702f6a9fcfce8015efab1ae9291631a6aa114121

    • SHA512

      79421ad6f143d46e49a5f2fb123dcadac20277619f5d2454ebc2489758fa9fbc981189dcec35130d7114afd1cf12102d00a33689d690c9a5f7d4dca8aa48894a

    • SSDEEP

      12288:J+oo9XzmJrxpAs4AXJcgj1pQOU65WK1539jlFUl7u7i+wAHo8sY/H9WwH:JK9XKJdeAXj1pQo5WK1oluWLAkYHH

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks