General
-
Target
4aafe21742d5f2e5638140add96d1064_JaffaCakes118
-
Size
1.7MB
-
Sample
241020-zt6v2azdpe
-
MD5
4aafe21742d5f2e5638140add96d1064
-
SHA1
9e5bd524edc9e917ebfef51aa6d092928abc0401
-
SHA256
6035c2626958f5c8d5847c17bf70d03262a6ba19dcc8caa7dccc3dabad362406
-
SHA512
93249a962891a016f1eedfb570a2f5b225534406eeb055b1840262214be96fe0154be6886d99270782aa5e496d6f080ab71b31f50638fee5a75f867609c374dd
-
SSDEEP
49152:YKl83VckHPop65PXwwWgSvZLAZcieRK1F:Y+8G0PYgwtvZLAiizT
Malware Config
Extracted
Protocol: ftp- Host:
chitergus.vov.ru - Port:
21 - Username:
u302437 - Password:
ueadsvji
Targets
-
-
Target
4aafe21742d5f2e5638140add96d1064_JaffaCakes118
-
Size
1.7MB
-
MD5
4aafe21742d5f2e5638140add96d1064
-
SHA1
9e5bd524edc9e917ebfef51aa6d092928abc0401
-
SHA256
6035c2626958f5c8d5847c17bf70d03262a6ba19dcc8caa7dccc3dabad362406
-
SHA512
93249a962891a016f1eedfb570a2f5b225534406eeb055b1840262214be96fe0154be6886d99270782aa5e496d6f080ab71b31f50638fee5a75f867609c374dd
-
SSDEEP
49152:YKl83VckHPop65PXwwWgSvZLAZcieRK1F:Y+8G0PYgwtvZLAiizT
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Blocklisted process makes network request
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1