General
-
Target
5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118
-
Size
1.4MB
-
Sample
241018-z3qv6s1apl
-
MD5
5968bd1843bca9ec5b655c9fdf219e8e
-
SHA1
c44f9696d0ff3ac324c549615fe06d52899e199b
-
SHA256
f658e5db4dd562be92458a18a84e0713eb3ac9c7ae13f02767ee6ae0376efbb4
-
SHA512
c252e3feabf3435fd8135d92d619ce5ee1e67e94ea59b10d54451dbb3985dd8ab6be750c4d539952f292691fc7678b83cfbc5828af4cc7c1db390ecd680bdd19
-
SSDEEP
24576:Gu+mLlxpqrdJwkbVYG3HklghoOLGTEANNOIZauPVTOMUC:mElxYBJwwqGUl1kcEYauPV
Malware Config
Targets
-
-
Target
5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118
-
Size
1.4MB
-
MD5
5968bd1843bca9ec5b655c9fdf219e8e
-
SHA1
c44f9696d0ff3ac324c549615fe06d52899e199b
-
SHA256
f658e5db4dd562be92458a18a84e0713eb3ac9c7ae13f02767ee6ae0376efbb4
-
SHA512
c252e3feabf3435fd8135d92d619ce5ee1e67e94ea59b10d54451dbb3985dd8ab6be750c4d539952f292691fc7678b83cfbc5828af4cc7c1db390ecd680bdd19
-
SSDEEP
24576:Gu+mLlxpqrdJwkbVYG3HklghoOLGTEANNOIZauPVTOMUC:mElxYBJwwqGUl1kcEYauPV
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
3