General
-
Target
0104907eed9e54c2419933d635c8882b_JaffaCakes118
-
Size
709KB
-
Sample
240426-r9lwsseg5s
-
MD5
0104907eed9e54c2419933d635c8882b
-
SHA1
1e492614b76775c37f5bf453dabf10f459231f16
-
SHA256
fba5cb745a133db3a20043a8a255515a43e851cd22218688b76b7f5fad4a6108
-
SHA512
fb4d3b6a020c4c6aaa5f3854c91aa84918fb3b327bdbbce11f67c972bfa8d4940f2b6b27b9134c6ddba051e7f5346b975e7754323aca967af73258958d924936
-
SSDEEP
12288:Y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hwe5V9w5P:MZ1xuVVjfFoynPaVBUR8f+kN10EBSOVa
Malware Config
Extracted
darkcomet
New
guadagnareonline.hopto.org:1604
DC_MUTEX-STBVEMZ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Usi3icsCEkiS
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
0104907eed9e54c2419933d635c8882b_JaffaCakes118
-
Size
709KB
-
MD5
0104907eed9e54c2419933d635c8882b
-
SHA1
1e492614b76775c37f5bf453dabf10f459231f16
-
SHA256
fba5cb745a133db3a20043a8a255515a43e851cd22218688b76b7f5fad4a6108
-
SHA512
fb4d3b6a020c4c6aaa5f3854c91aa84918fb3b327bdbbce11f67c972bfa8d4940f2b6b27b9134c6ddba051e7f5346b975e7754323aca967af73258958d924936
-
SSDEEP
12288:Y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hwe5V9w5P:MZ1xuVVjfFoynPaVBUR8f+kN10EBSOVa
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1