General
-
Target
7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118
-
Size
3.6MB
-
Sample
241030-cqssnssrht
-
MD5
7d90f7a105098f45110f71e7c5acf0d1
-
SHA1
6ac34cb84ac377e813e52934f032f8e2132544f3
-
SHA256
dc4a8fc218f79aea3d18b9326717d5a219c154a6aa6f3a4f7ef258023ebc0692
-
SHA512
63f070dc31f9490920aedc1d6fdd2081d3e7861f2c0c22ed516d518976c1fd41b9d0b7a49895982fa3c6f84d06ed01881013d1395a09aae4b9e2aa600f3b2176
-
SSDEEP
49152:eG75ATl5Too3e8odvG7bAKusrx0UbFAcd:Z6Toh5dvG7gmHd
Malware Config
Extracted
darkcomet
RS4
50123105510.no-ip.biz:20
DC_MUTEX-AAE6Q5H
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Pf5AEXF4vBub
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118
-
Size
3.6MB
-
MD5
7d90f7a105098f45110f71e7c5acf0d1
-
SHA1
6ac34cb84ac377e813e52934f032f8e2132544f3
-
SHA256
dc4a8fc218f79aea3d18b9326717d5a219c154a6aa6f3a4f7ef258023ebc0692
-
SHA512
63f070dc31f9490920aedc1d6fdd2081d3e7861f2c0c22ed516d518976c1fd41b9d0b7a49895982fa3c6f84d06ed01881013d1395a09aae4b9e2aa600f3b2176
-
SSDEEP
49152:eG75ATl5Too3e8odvG7bAKusrx0UbFAcd:Z6Toh5dvG7gmHd
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2