General

  • Target

    JaffaCakes118_522fb0b841be0d2c6f8a51103a0c54e6

  • Size

    899KB

  • Sample

    250305-qdn6lsyzbz

  • MD5

    522fb0b841be0d2c6f8a51103a0c54e6

  • SHA1

    bc043c88809074bfb7198563cbffb9fd88344e63

  • SHA256

    72c0bb47c16152e3888ee9acc856fdcad2a3f07fe056a5f7f28434334d2d563e

  • SHA512

    06718a234ad020be1ecc6a418b83659fdc28e144cd2117a3c89a8e2034893ffdebebde76a19dce871ebf1cb26ef975082639c70352d805f70ca8c1d376b21f1c

  • SSDEEP

    12288:KQ8Q5YyQLVqqnDmeCzuhjGCES8Y+QwqFyhSTdwAbl+Lt7Hz1/mv9k5z9e+v4Yzfb:KAYDRC6hjGRSOTQxtA1glyuYTBhiCQ4

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

bmc-cronos.no-ip.biz:1604

Mutex

DC_MUTEX-22VTL9J

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    6u19�F/39c08

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

rc4.plain

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Targets

    • Target

      JaffaCakes118_522fb0b841be0d2c6f8a51103a0c54e6

    • Size

      899KB

    • MD5

      522fb0b841be0d2c6f8a51103a0c54e6

    • SHA1

      bc043c88809074bfb7198563cbffb9fd88344e63

    • SHA256

      72c0bb47c16152e3888ee9acc856fdcad2a3f07fe056a5f7f28434334d2d563e

    • SHA512

      06718a234ad020be1ecc6a418b83659fdc28e144cd2117a3c89a8e2034893ffdebebde76a19dce871ebf1cb26ef975082639c70352d805f70ca8c1d376b21f1c

    • SSDEEP

      12288:KQ8Q5YyQLVqqnDmeCzuhjGCES8Y+QwqFyhSTdwAbl+Lt7Hz1/mv9k5z9e+v4Yzfb:KAYDRC6hjGRSOTQxtA1glyuYTBhiCQ4

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks