General

  • Target

    JaffaCakes118_50e91c866780376d85903b3f77f2cbf4

  • Size

    247KB

  • Sample

    250305-g93jfa1py4

  • MD5

    50e91c866780376d85903b3f77f2cbf4

  • SHA1

    2f08bada5a8eacc0964be359ac86231264a9b062

  • SHA256

    3309a7f3bdb1a45e96b408aff635b98f080721a5719ef9832bd395d6d60eed42

  • SHA512

    8a535514a765d23bafc4c4d633f66d2cc5835ec388a9fa7598ec48d72cba7c6624ffdfe9e841bbafed4523d375cdf8b7a837377334d5af0693ca14185104aaa3

  • SSDEEP

    6144:Eh365FFhnGsmuIFtNh36fMbPC/LO7sETVuX2ljWX/aBXW:u36DnGsmuIFz4fMbeysCWZIG

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

0177cool.no-ip.org:1604

Mutex

DC_MUTEX-MSEVEB3

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    PcRKqw9CAqUD

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

rc4.plain

Targets

    • Target

      MW1 ESP-Boxes Hack V.3.1.exe

    • Size

      253KB

    • MD5

      2c1c85a951474923ca5cac7db2f52bd8

    • SHA1

      573946f3cde8f3aa88bdc7fc273aa2867f6f0f8f

    • SHA256

      86ff233d6f709f9701c5b21966f1b8cc874dda4ec6898deb28d5776130e34602

    • SHA512

      8a16d9f7eb0796d3c6ba0e69afc564292b97bf0fedc681c8761b169eeef30616009994d6824b0aca08f654f4d64d967f44e44d9274114ddfbc790f87d5be06cd

    • SSDEEP

      6144:aBJVqu5jxRl+t6Ge0qw0kw9+Ks9a8/7z6ln:atqwjxRl+t6GfL7zc

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks