General
-
Target
a59bfe032b2246782b50e59aa270d5a5_JaffaCakes118
-
Size
263KB
-
Sample
240818-gf38wa1fqp
-
MD5
a59bfe032b2246782b50e59aa270d5a5
-
SHA1
38a5527e28785ec76b36864a0f7f2135843574d3
-
SHA256
40cb38cb4b789d4f3781cd809ec36d9c0d0705742040abe460b7d4be275f7d2a
-
SHA512
1e79107994149ee840aa5d213d36d755f0cd56fcb35e4a2aa0a87105d0bd11a4c00fdd1fd83e03d2410c29fb485718155eaf71a03410e8fdf1f1f09e62931b8e
-
SSDEEP
6144:a9gzXQNDh44NrG+rsbn6e9qD77AckA7Vw2PrKVfijq0Eh:UgkN91NrG+rs7Xw77RV62GfijqXh
Malware Config
Extracted
darkcomet
Guest16
zapperdezippzap.zapto.org:1604
DC_MUTEX-1TF5DWF
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
oWJocAYWilPy
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Extracted
latentbot
zapperdezippzap.zapto.org
Targets
-
-
Target
RetroHack.exe
-
Size
650KB
-
MD5
f04f2b2f5d5a158dc13cc31454b49187
-
SHA1
9f974f15a18c3bffac7d23ff7b86c74efafbe1db
-
SHA256
19570160318b305d9700803dcafe231ad917fd78fce7c06a7a97e0b800ff295a
-
SHA512
1a579d6304f078ec849bbb6d3d0aaf347873e7ad7fa1c0e2422b2444d15fedc26b927bb0da727d59415c2662da3195ef63e9918b982ba5cf36856437a9b28ea2
-
SSDEEP
12288:7k0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+R:w0QRWoJEfg0oChGdJQbjPbNW5tYeP+Gc
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1