General
-
Target
0cefddee520a452c16049eedbacfbb50_JaffaCakes118
-
Size
696KB
-
Sample
240625-gsj1rsxbrj
-
MD5
0cefddee520a452c16049eedbacfbb50
-
SHA1
284bd10d6388e4d2335a4c52b50eaee5aee71766
-
SHA256
5a6c373db5a474087805d24d6e1103dc33d3fdbaa2d0ab9d99bf1456303b7214
-
SHA512
acb63415799c4a0cc0e1d445310909d3afb68f4dd3a3aeb19bae28df256ef9a4a7ff269b18fed1273590d93987f824fa88525268f991f5fe4fd7d863a06dda77
-
SSDEEP
12288:zzfB7FOSQSTvIErK16xYZ0ogYILdh6BUyulWVXs+zAjmkzzia4ju0J7HSs0as:zrOSj0ErLx5dgBUZWbA6a4jT7HSs6
Malware Config
Extracted
darkcomet
HF
192.168.0.2:100
surfingforus.zapto.org:100
DC_MUTEX-B4DJA70
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ShXk49WH4tyF
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Extracted
latentbot
surfingforus.zapto.org
Targets
-
-
Target
0cefddee520a452c16049eedbacfbb50_JaffaCakes118
-
Size
696KB
-
MD5
0cefddee520a452c16049eedbacfbb50
-
SHA1
284bd10d6388e4d2335a4c52b50eaee5aee71766
-
SHA256
5a6c373db5a474087805d24d6e1103dc33d3fdbaa2d0ab9d99bf1456303b7214
-
SHA512
acb63415799c4a0cc0e1d445310909d3afb68f4dd3a3aeb19bae28df256ef9a4a7ff269b18fed1273590d93987f824fa88525268f991f5fe4fd7d863a06dda77
-
SSDEEP
12288:zzfB7FOSQSTvIErK16xYZ0ogYILdh6BUyulWVXs+zAjmkzzia4ju0J7HSs0as:zrOSj0ErLx5dgBUZWbA6a4jT7HSs6
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-