General
-
Target
f6c9055d523b94dd0dd20cb2d59ce039_JaffaCakes118
-
Size
423KB
-
Sample
240417-28ca3shc36
-
MD5
f6c9055d523b94dd0dd20cb2d59ce039
-
SHA1
b25235cf8781ef947a70cebbe5ab5d3cfc18b442
-
SHA256
6b4200469bff3fb5fd0c7880de7f67d2fa83260a4159bf3d2305e73f005cdf05
-
SHA512
bcc8ae473369b75ec54d83fab15c4eb1a582ac7b64db62e45976c4b979d8c9623113bcf6bf520496f9c9f33d9b4b2a2cdd27dee7c74a844f04883176021d03bf
-
SSDEEP
12288:2lghoSqDNJ/Jj0PeLTCdKET05/hM4/KZood31gLeiW:8g2DNb0wCdKVhny/d31IeiW
Malware Config
Extracted
darkcomet
Victim
dcrat214.no-ip.biz:1604
DC_MUTEX-E5E9EN3
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ndFoCwbBFulg
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
f6c9055d523b94dd0dd20cb2d59ce039_JaffaCakes118
-
Size
423KB
-
MD5
f6c9055d523b94dd0dd20cb2d59ce039
-
SHA1
b25235cf8781ef947a70cebbe5ab5d3cfc18b442
-
SHA256
6b4200469bff3fb5fd0c7880de7f67d2fa83260a4159bf3d2305e73f005cdf05
-
SHA512
bcc8ae473369b75ec54d83fab15c4eb1a582ac7b64db62e45976c4b979d8c9623113bcf6bf520496f9c9f33d9b4b2a2cdd27dee7c74a844f04883176021d03bf
-
SSDEEP
12288:2lghoSqDNJ/Jj0PeLTCdKET05/hM4/KZood31gLeiW:8g2DNb0wCdKVhny/d31IeiW
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Modifies security service
-
Windows security bypass
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1