General
-
Target
ea4acbc78aca8f04f59983e83afea192_JaffaCakes118
-
Size
1006KB
-
Sample
240919-a95v8ssdjf
-
MD5
ea4acbc78aca8f04f59983e83afea192
-
SHA1
cf851eca55ace21437550f5b003fd724a5fe21f9
-
SHA256
8717ded6b7eb527c82916520e4ddc6e730dd2e984e6f39f92a19bdaae8fd2d30
-
SHA512
1987cadc13bcc5285523be50971db210a8f3f21ed90de5780bcd074d777ae1a7cae2b28703121aeedee99d1ea6c3a9cd2e4ac7a54944d187f124ff2120fae407
-
SSDEEP
24576:V7nIqVGaZS+1sjmP/e+iCIy6d8B84eEKTvJmg:VbVL71AthufMJ
Malware Config
Extracted
darkcomet
Chat
bahaarat.no-ip.biz:4153
DC_MUTEX-7ZU3TYT
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
0ERVdb5XjlW0
-
install
true
-
offline_keylogger
true
-
password
123lol123
-
persistence
true
-
reg_key
Windows Update
Targets
-
-
Target
ea4acbc78aca8f04f59983e83afea192_JaffaCakes118
-
Size
1006KB
-
MD5
ea4acbc78aca8f04f59983e83afea192
-
SHA1
cf851eca55ace21437550f5b003fd724a5fe21f9
-
SHA256
8717ded6b7eb527c82916520e4ddc6e730dd2e984e6f39f92a19bdaae8fd2d30
-
SHA512
1987cadc13bcc5285523be50971db210a8f3f21ed90de5780bcd074d777ae1a7cae2b28703121aeedee99d1ea6c3a9cd2e4ac7a54944d187f124ff2120fae407
-
SSDEEP
24576:V7nIqVGaZS+1sjmP/e+iCIy6d8B84eEKTvJmg:VbVL71AthufMJ
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2