General
-
Target
563ae8cf70c029d584550bf2ee4cd9f2_JaffaCakes118
-
Size
852KB
-
Sample
240518-xbqd8ahf4w
-
MD5
563ae8cf70c029d584550bf2ee4cd9f2
-
SHA1
34b77c7c1f7d5ac6e3414e88bff81119304a1cd5
-
SHA256
e44ede28721a044d4e0d710153be8fe7bae321e4467146168dc706c3da0def7e
-
SHA512
8065fbc216cd4b8058be093c49088748ddfa41ed1456df224328ec21f84441e420abaab9cacaa93a9235ba4b11b9899a2eb1b9e7546e37c74dff715ae031371c
-
SSDEEP
24576:9Z1xuVVjfFoynPaVBUR8f+kN10EdQATi:HQDgok30Mi
Malware Config
Extracted
darkcomet
Server
neversmc.duckdns.org:1604
DC_MUTEX-3XMENE3
-
InstallPath
le-ZE\Google\Mozilla\Fire\Wall\Lan\Zan\Fan\Lan\A\S\D\F\G\H\J\K\L\Z\X\C\V\B\N\M\O\Y\U\T\R\a\s\d\f\g\h\t\y\u\d\f\c\q\w\f\Google\Update\Fire\Look\Away\Form\Chrome\Zrome\Lrom\Krom\Update\a\s\d\g\h\j\n\m\b\g\f\r\y\r\googleupdate.exe
-
gencode
wBSc8CC6Kncx
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
System
Targets
-
-
Target
563ae8cf70c029d584550bf2ee4cd9f2_JaffaCakes118
-
Size
852KB
-
MD5
563ae8cf70c029d584550bf2ee4cd9f2
-
SHA1
34b77c7c1f7d5ac6e3414e88bff81119304a1cd5
-
SHA256
e44ede28721a044d4e0d710153be8fe7bae321e4467146168dc706c3da0def7e
-
SHA512
8065fbc216cd4b8058be093c49088748ddfa41ed1456df224328ec21f84441e420abaab9cacaa93a9235ba4b11b9899a2eb1b9e7546e37c74dff715ae031371c
-
SSDEEP
24576:9Z1xuVVjfFoynPaVBUR8f+kN10EdQATi:HQDgok30Mi
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1