General
-
Target
1f8ed890e0080167696df9f4d8a153a4_JaffaCakes118
-
Size
869KB
-
Sample
241008-e1k7pasepe
-
MD5
1f8ed890e0080167696df9f4d8a153a4
-
SHA1
6aaf29cbf84b75f28d316503bc8034d4e0f6abc6
-
SHA256
e490d74d2ae5e9b84e7a341b47472da7b241daf92e64da760d9206043c411d45
-
SHA512
992e897e20e6cc222aa810b972175efdad94b59a5140b805ae1e98b4fc9c8d03c68d52cecb7f483433c4898ff51ba7d1d76e27e18d069f445f909d94725dca05
-
SSDEEP
24576:G0QRWoJEfg0oChGdJQbjPbNW5tYeP+GF4h7uVkAg37:RQRV2o3MPY5Axh7uU
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-F54S21D
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
kcNNnp9VkE2N
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
1f8ed890e0080167696df9f4d8a153a4_JaffaCakes118
-
Size
869KB
-
MD5
1f8ed890e0080167696df9f4d8a153a4
-
SHA1
6aaf29cbf84b75f28d316503bc8034d4e0f6abc6
-
SHA256
e490d74d2ae5e9b84e7a341b47472da7b241daf92e64da760d9206043c411d45
-
SHA512
992e897e20e6cc222aa810b972175efdad94b59a5140b805ae1e98b4fc9c8d03c68d52cecb7f483433c4898ff51ba7d1d76e27e18d069f445f909d94725dca05
-
SSDEEP
24576:G0QRWoJEfg0oChGdJQbjPbNW5tYeP+GF4h7uVkAg37:RQRV2o3MPY5Axh7uU
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1