General
-
Target
351e68f2e31e9f43b8d42a1783b77fa5_JaffaCakes118
-
Size
658KB
-
Sample
241011-q496rszhlj
-
MD5
351e68f2e31e9f43b8d42a1783b77fa5
-
SHA1
4f09ef300cbb1a3bfd31d20505b42d5cf1d61804
-
SHA256
d0b38d66ec577ebc05179bf186ab43463478f157cf9bbd722a46e7bccf72d043
-
SHA512
516e1809b03e1f410137d020d49b19b6a9fd705b6515f0b87f112cd8e103d06fec8555fe9dbfd079fe7b98f90b360b379198f41361f7e28997a35fbefe0e69f5
-
SSDEEP
12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hk:eZ1xuVVjfFoynPaVBUR8f+kN10EB+
Malware Config
Extracted
darkcomet
V1
78.219.82.2:666
DC_MUTEX-DMZMZFF
-
InstallPath
MZ\winscp.exe
-
gencode
Vn3EVy5WLaMk
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
WinSCP
Targets
-
-
Target
351e68f2e31e9f43b8d42a1783b77fa5_JaffaCakes118
-
Size
658KB
-
MD5
351e68f2e31e9f43b8d42a1783b77fa5
-
SHA1
4f09ef300cbb1a3bfd31d20505b42d5cf1d61804
-
SHA256
d0b38d66ec577ebc05179bf186ab43463478f157cf9bbd722a46e7bccf72d043
-
SHA512
516e1809b03e1f410137d020d49b19b6a9fd705b6515f0b87f112cd8e103d06fec8555fe9dbfd079fe7b98f90b360b379198f41361f7e28997a35fbefe0e69f5
-
SSDEEP
12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hk:eZ1xuVVjfFoynPaVBUR8f+kN10EB+
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1