General

  • Target

    JaffaCakes118_4f9db8acfee94992c91288a6a729b1a0

  • Size

    251KB

  • Sample

    250304-zz3qka1pv2

  • MD5

    4f9db8acfee94992c91288a6a729b1a0

  • SHA1

    defe88b3d2335bbd6ac16caa72b596ef118ddc9e

  • SHA256

    00d0927a202e17cd9493f2848ef9b807f29aed3bd4ad18ccaa776224a71f3139

  • SHA512

    f992ea6558f28ae2b4065c5d8bd0e4efa977c8cdbd50ce998d133a570830a3025c7d572ce3f8467371c13f91af66c23a19a5cd11df91705fc9476178e5ed5f06

  • SSDEEP

    6144:1cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:1cW7KEZlPzCy37

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

aa1.no-ip.info:3175

Mutex

DC_MUTEX-HUT43HU

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    bStBj9WpETtE

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

rc4.plain

Targets

    • Target

      JaffaCakes118_4f9db8acfee94992c91288a6a729b1a0

    • Size

      251KB

    • MD5

      4f9db8acfee94992c91288a6a729b1a0

    • SHA1

      defe88b3d2335bbd6ac16caa72b596ef118ddc9e

    • SHA256

      00d0927a202e17cd9493f2848ef9b807f29aed3bd4ad18ccaa776224a71f3139

    • SHA512

      f992ea6558f28ae2b4065c5d8bd0e4efa977c8cdbd50ce998d133a570830a3025c7d572ce3f8467371c13f91af66c23a19a5cd11df91705fc9476178e5ed5f06

    • SSDEEP

      6144:1cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37:1cW7KEZlPzCy37

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks