General

  • Target

    JaffaCakes118_50d5a14d2889e23b47e5bc1124319470

  • Size

    658KB

  • Sample

    250305-gv4g7a1sat

  • MD5

    50d5a14d2889e23b47e5bc1124319470

  • SHA1

    ff4782f592761b3eff3a43b33032c6a76e4dfdf5

  • SHA256

    95d031e7d898c92f065da4fc3064398bde5bbe97826c625bef4e98e591d5188a

  • SHA512

    69076c26ef996f47c490528514b5c5537e6197e9ada42431f3af2f5aa233c18b4277c8af6daf5f9031a8801a313f114db44e849543f72be8e7361769829c06d4

  • SSDEEP

    12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/he:eZ1xuVVjfFoynPaVBUR8f+kN10EBo

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

infohacked.no-ip.org:1604

Mutex

DC_MUTEX-HKH3CSC

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    bEmAeB0cX62m

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

rc4.plain

Targets

    • Target

      JaffaCakes118_50d5a14d2889e23b47e5bc1124319470

    • Size

      658KB

    • MD5

      50d5a14d2889e23b47e5bc1124319470

    • SHA1

      ff4782f592761b3eff3a43b33032c6a76e4dfdf5

    • SHA256

      95d031e7d898c92f065da4fc3064398bde5bbe97826c625bef4e98e591d5188a

    • SHA512

      69076c26ef996f47c490528514b5c5537e6197e9ada42431f3af2f5aa233c18b4277c8af6daf5f9031a8801a313f114db44e849543f72be8e7361769829c06d4

    • SSDEEP

      12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/he:eZ1xuVVjfFoynPaVBUR8f+kN10EBo

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks