General
-
Target
4004cede42ed113907008616f829e5fb_JaffaCakes118
-
Size
712KB
-
Sample
241013-qckf2asfjj
-
MD5
4004cede42ed113907008616f829e5fb
-
SHA1
b4a0399b0f37c85f31e3b7874ca8dbe254f42c16
-
SHA256
e663fbdd2a8965c3e85d9c0464b65ce768f12f2fd8cc4a954fb635157c76f08c
-
SHA512
1e97cfe80bb779e6f6856bf8db1a5797e8bd833bc6f86e38e74891a5c356e4c81b9b9f9a8b86cccdbccff0023b6c086e5381580b3d2690970df60dd1c3b8170f
-
SSDEEP
12288:q4p9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h:qGZ1xuVVjfFoynPaVBUR8f+kN10EB
Malware Config
Extracted
darkcomet
Guest99
192.168.1.2:16010
DC_MUTEX-RD9WVSG
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
4355u26rHXxx
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
4004cede42ed113907008616f829e5fb_JaffaCakes118
-
Size
712KB
-
MD5
4004cede42ed113907008616f829e5fb
-
SHA1
b4a0399b0f37c85f31e3b7874ca8dbe254f42c16
-
SHA256
e663fbdd2a8965c3e85d9c0464b65ce768f12f2fd8cc4a954fb635157c76f08c
-
SHA512
1e97cfe80bb779e6f6856bf8db1a5797e8bd833bc6f86e38e74891a5c356e4c81b9b9f9a8b86cccdbccff0023b6c086e5381580b3d2690970df60dd1c3b8170f
-
SSDEEP
12288:q4p9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h:qGZ1xuVVjfFoynPaVBUR8f+kN10EB
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2