General
-
Target
63cbce809a2813c3a62433cd1a71ece6_JaffaCakes118
-
Size
398KB
-
Sample
240521-sysqmsaf2y
-
MD5
63cbce809a2813c3a62433cd1a71ece6
-
SHA1
611253d54dd926899e9e6d7607ef137a3a1562c1
-
SHA256
9740492962928aafcfc3823083ab7e1b092afdbccc830c607f01019537b80407
-
SHA512
6febbe6f6feb7b4159e97bbd8398fe08144463f99a16e7d0f10e05e62d2d0b516d12775fb0999dfd1716260b0e06dcfe242fdd2ed44201c89e285b16b4c04370
-
SSDEEP
6144:vcNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0P8jWqYooSAHuIZ2GmJ6SXOk:vcWkbgTYWnYnt/IDYhPKWThDuIlm/O
Malware Config
Extracted
darkcomet
FACK YOU
mfashi.ddns.net:1995
192.168.0.102:1995
DC_MUTEX-RRN2THV
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ADipTpuqkEHM
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
63cbce809a2813c3a62433cd1a71ece6_JaffaCakes118
-
Size
398KB
-
MD5
63cbce809a2813c3a62433cd1a71ece6
-
SHA1
611253d54dd926899e9e6d7607ef137a3a1562c1
-
SHA256
9740492962928aafcfc3823083ab7e1b092afdbccc830c607f01019537b80407
-
SHA512
6febbe6f6feb7b4159e97bbd8398fe08144463f99a16e7d0f10e05e62d2d0b516d12775fb0999dfd1716260b0e06dcfe242fdd2ed44201c89e285b16b4c04370
-
SSDEEP
6144:vcNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0P8jWqYooSAHuIZ2GmJ6SXOk:vcWkbgTYWnYnt/IDYhPKWThDuIlm/O
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-