General
-
Target
636c05fe4480eec1229bb70a8e1bd012_JaffaCakes118
-
Size
1000KB
-
Sample
241020-vxqk1azgkc
-
MD5
636c05fe4480eec1229bb70a8e1bd012
-
SHA1
bf2642826097c5126636a2d79d7ea91d974ae471
-
SHA256
aa404e84e265ecd58d1582acb9fc83ae27c7b48f34cc025516f5c4eb2b73bbc7
-
SHA512
914e1d7c9ccef88f0a1e1daa2417c6871ce864614516e2987103b9be854c5fd02230f9e434bd07d8d3cc1a9b08ddf7d2931303f7f2b95b588417970567e24b4e
-
SSDEEP
24576:iorQ9H/Z5GfbyFkWjcpV2hkwmtjg9gjFqX+6:ioreHh5GTyFxjc6F0gOgX
Malware Config
Extracted
darkcomet
K4ckN00bS
dasistmeineip.no-ip.org:51337
DC_MUTEX-T56KLC5
-
InstallPath
WinRAR\WinRAR.exe
-
gencode
4QV2T2zsWP4q
-
install
true
-
offline_keylogger
false
-
persistence
false
-
reg_key
WinRAR
Targets
-
-
Target
636c05fe4480eec1229bb70a8e1bd012_JaffaCakes118
-
Size
1000KB
-
MD5
636c05fe4480eec1229bb70a8e1bd012
-
SHA1
bf2642826097c5126636a2d79d7ea91d974ae471
-
SHA256
aa404e84e265ecd58d1582acb9fc83ae27c7b48f34cc025516f5c4eb2b73bbc7
-
SHA512
914e1d7c9ccef88f0a1e1daa2417c6871ce864614516e2987103b9be854c5fd02230f9e434bd07d8d3cc1a9b08ddf7d2931303f7f2b95b588417970567e24b4e
-
SSDEEP
24576:iorQ9H/Z5GfbyFkWjcpV2hkwmtjg9gjFqX+6:ioreHh5GTyFxjc6F0gOgX
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1