General
-
Target
20799f295c5b0e5aa27b5896b230b57a_JaffaCakes118
-
Size
13.9MB
-
Sample
241008-jzfysswhkj
-
MD5
20799f295c5b0e5aa27b5896b230b57a
-
SHA1
e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
-
SHA256
3d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
-
SHA512
70cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
-
SSDEEP
24576:0RmJkcoQricOIQxiZY1iaGVR2L1IQnr/hEzgF82oN5TKnKYEDrHqANbbNBW6Db6b:RJZoQrbTFZY1iaIR2B
Malware Config
Extracted
darkcomet
Guest16
onlinebonjour1pt.ddns.net:1605
DC_MUTEX-K9JEE5J
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
PPlJGVizdNKt
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Microdaptxx
Targets
-
-
Target
20799f295c5b0e5aa27b5896b230b57a_JaffaCakes118
-
Size
13.9MB
-
MD5
20799f295c5b0e5aa27b5896b230b57a
-
SHA1
e0e72f3a636f4dcd87bb5606f24fe0ff298fbb74
-
SHA256
3d96847f7962c01a7951f95acb29dff7999b7e8d54c946b3b1ccd035cbf2bcb1
-
SHA512
70cd3984c49da18dc9aeb852f745a8324a93583ab892af7f08bf5372cdb4ffc0cb0cce4033988d9088aaf1b0c740f612690addf9598ad3349ef6ef79112b3d16
-
SSDEEP
24576:0RmJkcoQricOIQxiZY1iaGVR2L1IQnr/hEzgF82oN5TKnKYEDrHqANbbNBW6Db6b:RJZoQrbTFZY1iaIR2B
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1