General
-
Target
ffc2e4b24496363b727f6e4dbca30824_JaffaCakes118
-
Size
1.3MB
-
Sample
240421-vnyj9aga8z
-
MD5
ffc2e4b24496363b727f6e4dbca30824
-
SHA1
596e01d5c84cd459689c4bf69e3f83f4575be640
-
SHA256
039fb1c8675255b8edefc207b6362e0da58b6d9ddd767fea06a705ce54326fb8
-
SHA512
75a8da478550e1922621d3bbded40dd9baeb6e292cd493c8a5e116344565f20305c67969fa07f390ab54d113fc0471cdf37888dd2015cea881e7e4da10549493
-
SSDEEP
24576:xv3eNL+gpwfoYqFzwRWGqx8BsptOwCRS03kWaZYjEeUK/cRgOnmq9g6mzk8Axq:J3e5+gpwIFzwzqxmsvOPS0UWuucOU7m1
Malware Config
Extracted
darkcomet
Guest16
dark123comet00.no-ip.biz:1604
DC_MUTEX-H9W4RQ4
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
HyRqKCh4ATSA
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
ffc2e4b24496363b727f6e4dbca30824_JaffaCakes118
-
Size
1.3MB
-
MD5
ffc2e4b24496363b727f6e4dbca30824
-
SHA1
596e01d5c84cd459689c4bf69e3f83f4575be640
-
SHA256
039fb1c8675255b8edefc207b6362e0da58b6d9ddd767fea06a705ce54326fb8
-
SHA512
75a8da478550e1922621d3bbded40dd9baeb6e292cd493c8a5e116344565f20305c67969fa07f390ab54d113fc0471cdf37888dd2015cea881e7e4da10549493
-
SSDEEP
24576:xv3eNL+gpwfoYqFzwRWGqx8BsptOwCRS03kWaZYjEeUK/cRgOnmq9g6mzk8Axq:J3e5+gpwIFzwzqxmsvOPS0UWuucOU7m1
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1