General

  • Target

    JaffaCakes118_44773ef2374ab0a0cc5a44e4e654f58a

  • Size

    660KB

  • Sample

    250303-d7z4rav1es

  • MD5

    44773ef2374ab0a0cc5a44e4e654f58a

  • SHA1

    9ebb6678726302aea5c1bd08e645682db36e1581

  • SHA256

    a5e9e450f1935d4ddedb730bf319f8d982f3c273913746bb1f84b63abe861e1c

  • SHA512

    4a6fdb12a665388caf21969f5fe81f63e448a05653b988c894e627b210ad708ef7f2486dd526bc3e4b6a8013b962515f6afc82be3a9d863e61b5f4f4dc6db884

  • SSDEEP

    12288:EXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UU:SnAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jk

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:4444

black12345.zapto.org:4444

Mutex

DC_MUTEX-F54S21D

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    Y4pNceiPUfLV

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

rc4.plain

Targets

    • Target

      JaffaCakes118_44773ef2374ab0a0cc5a44e4e654f58a

    • Size

      660KB

    • MD5

      44773ef2374ab0a0cc5a44e4e654f58a

    • SHA1

      9ebb6678726302aea5c1bd08e645682db36e1581

    • SHA256

      a5e9e450f1935d4ddedb730bf319f8d982f3c273913746bb1f84b63abe861e1c

    • SHA512

      4a6fdb12a665388caf21969f5fe81f63e448a05653b988c894e627b210ad708ef7f2486dd526bc3e4b6a8013b962515f6afc82be3a9d863e61b5f4f4dc6db884

    • SSDEEP

      12288:EXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UU:SnAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jk

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks