General

  • Target

    JaffaCakes118_534aa4131eca826559a695f218999758

  • Size

    501KB

  • Sample

    250305-xz62waxkw2

  • MD5

    534aa4131eca826559a695f218999758

  • SHA1

    65b89dbc835dfb93c92fb2f8af793dec11b8292e

  • SHA256

    375e74db854724146b2630091121af4d7c062ddc812697edb4a98f2a6b0340c5

  • SHA512

    518fe38b9d46fe323f9b9358dd1ae23879cfc097a3d2f49c46b847e768732e4f2b367951046fe45380dec70736a82ba08f0eed16ac54595f2c74f820d358faa1

  • SSDEEP

    12288:MCM+aPSx9BQ26xD6CPqbohjayHxtgFVd2BHqFa/t:pMvPSx7Qx5vPJZRtgFVKZ/

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.1.49:1604

Mutex

DC_MUTEX-MG70VQU

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    4ckUBRRxjDLl

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

rc4.plain

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Targets

    • Target

      JaffaCakes118_534aa4131eca826559a695f218999758

    • Size

      501KB

    • MD5

      534aa4131eca826559a695f218999758

    • SHA1

      65b89dbc835dfb93c92fb2f8af793dec11b8292e

    • SHA256

      375e74db854724146b2630091121af4d7c062ddc812697edb4a98f2a6b0340c5

    • SHA512

      518fe38b9d46fe323f9b9358dd1ae23879cfc097a3d2f49c46b847e768732e4f2b367951046fe45380dec70736a82ba08f0eed16ac54595f2c74f820d358faa1

    • SSDEEP

      12288:MCM+aPSx9BQ26xD6CPqbohjayHxtgFVd2BHqFa/t:pMvPSx7Qx5vPJZRtgFVKZ/

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Drops file in Drivers directory

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks