General
-
Target
ed10850ad8d0971da324de2c30729742_JaffaCakes118
-
Size
2.1MB
-
Sample
240411-k4bejsgd34
-
MD5
ed10850ad8d0971da324de2c30729742
-
SHA1
bb2f3935b780d1200554d9915da9e87d76edffbe
-
SHA256
ba91d49ac453d3eb14950819a8cd6ee72aa704a24f1e47d0f8e180a3dfc768e9
-
SHA512
197ce8f3282cfc640e702841d87f088e4a86a1c95f3bdb78f806eb86d1b72684ebfc1f53b98e8708e71c87b92c8f5b5f969bd84194a3260ea7f95980ef54a8dd
-
SSDEEP
49152:EiobiV082zrjoFFfQnU26RO0QaXIe7P7uCzrlOrtD57loZQu:ZVX2zraE1yIe+CzrlO557pu
Malware Config
Extracted
darkcomet
SeptemBER 2021
bonding79.ddns.net:3316
goodgt79.ddns.net:3316
whatis79.ddns.net:3316
smath79.ddns.net:3316
jacknop79.ddns.net:3316
chrisle79.ddns.net:3316
DC_MUTEX-6JQTXC0
-
gencode
cVaduGzs7zFu
-
install
false
-
offline_keylogger
true
-
password
Password20$
-
persistence
false
Targets
-
-
Target
ed10850ad8d0971da324de2c30729742_JaffaCakes118
-
Size
2.1MB
-
MD5
ed10850ad8d0971da324de2c30729742
-
SHA1
bb2f3935b780d1200554d9915da9e87d76edffbe
-
SHA256
ba91d49ac453d3eb14950819a8cd6ee72aa704a24f1e47d0f8e180a3dfc768e9
-
SHA512
197ce8f3282cfc640e702841d87f088e4a86a1c95f3bdb78f806eb86d1b72684ebfc1f53b98e8708e71c87b92c8f5b5f969bd84194a3260ea7f95980ef54a8dd
-
SSDEEP
49152:EiobiV082zrjoFFfQnU26RO0QaXIe7P7uCzrlOrtD57loZQu:ZVX2zraE1yIe+CzrlO557pu
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-