General
-
Target
7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118
-
Size
501KB
-
Sample
240726-sek7fsycrb
-
MD5
7489d6d9182cfb315a028a9670a1eaa7
-
SHA1
6248b643e2700e60960d7ea7911926310d6bdb41
-
SHA256
539cb4699daed68cce319ba88bb97ed2211321ab7d8342370bcd958f3de6af38
-
SHA512
8e795753a7818a5818f29586b57750f6e397475299924624d4a27fb9a8c81194bf16b7c6af108dbc4961b222dfe7a3cfedcf8c7be040bde27b3cf6ec485dc4ea
-
SSDEEP
6144:+pnVaARrQbqPwZQU+gr+h8Ug1Dgpfd+5R8Kyt9oXtzYYjsUE+ksQIPSkh7h/SL:Wnka8AHeb405Rt9Je4/Skh9/S
Malware Config
Extracted
darkcomet
Guest16
speeed.zapto.org:15963
speeed.hopto.org:15963
DC_MUTEX-WLBBHZN
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
3Vr9Alq967cJ
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118
-
Size
501KB
-
MD5
7489d6d9182cfb315a028a9670a1eaa7
-
SHA1
6248b643e2700e60960d7ea7911926310d6bdb41
-
SHA256
539cb4699daed68cce319ba88bb97ed2211321ab7d8342370bcd958f3de6af38
-
SHA512
8e795753a7818a5818f29586b57750f6e397475299924624d4a27fb9a8c81194bf16b7c6af108dbc4961b222dfe7a3cfedcf8c7be040bde27b3cf6ec485dc4ea
-
SSDEEP
6144:+pnVaARrQbqPwZQU+gr+h8Ug1Dgpfd+5R8Kyt9oXtzYYjsUE+ksQIPSkh7h/SL:Wnka8AHeb405Rt9Je4/Skh9/S
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1