General
-
Target
7719d0e8367fa5d34ea87c95a6e35176_JaffaCakes118
-
Size
1.3MB
-
Sample
241028-celvzsvndm
-
MD5
7719d0e8367fa5d34ea87c95a6e35176
-
SHA1
f50ac4008a870554cd036486aacef41dcd00bda9
-
SHA256
ce1c536950fd9e6b41e6b13db2c1ecb1b67e78097202257a960ac42b184ed2f7
-
SHA512
a5bf46d98e024fb11ff92ac534cb96a0df81888d41afa16aff339563f20ee1fe9892791ae2c6f71e47aef2fe0d81ba41405a648163927ec7795025c456cfecf7
-
SSDEEP
24576:MZ1xuVVjfFoynPaVBUR8f+kN10EBZjZ1xuVVjfFoynPaVBUR8f+kN10EB:8QDgok30EQDgok30
Malware Config
Extracted
darkcomet
Guest16
hardywwe.sytes.net:1177
DC_MUTEX-D2N7A52
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
hoCJyYF6vH0V
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
7719d0e8367fa5d34ea87c95a6e35176_JaffaCakes118
-
Size
1.3MB
-
MD5
7719d0e8367fa5d34ea87c95a6e35176
-
SHA1
f50ac4008a870554cd036486aacef41dcd00bda9
-
SHA256
ce1c536950fd9e6b41e6b13db2c1ecb1b67e78097202257a960ac42b184ed2f7
-
SHA512
a5bf46d98e024fb11ff92ac534cb96a0df81888d41afa16aff339563f20ee1fe9892791ae2c6f71e47aef2fe0d81ba41405a648163927ec7795025c456cfecf7
-
SSDEEP
24576:MZ1xuVVjfFoynPaVBUR8f+kN10EBZjZ1xuVVjfFoynPaVBUR8f+kN10EB:8QDgok30EQDgok30
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1