General
-
Target
9bb658f3ade60f573cadeab503e8d985_JaffaCakes118
-
Size
237KB
-
Sample
241125-qgkycsyjbx
-
MD5
9bb658f3ade60f573cadeab503e8d985
-
SHA1
55b9236d7be91fe79efeabe22e7e4c8fc6732999
-
SHA256
757ba0d84ebc934a27d3a3f153269e3830274309d459d9ca05862b38e8045677
-
SHA512
3b43e0af7436b4288ad6fe9c2a9764d2418d95bb1346905aec72876f9cad4ac76cc8edd8e8f5dfe2db67578240dfd25a8356cfcf10fcc99be734696d152cec75
-
SSDEEP
6144:Py22ByAreNz+rtZOLqJ5Z7Ro94BDLbP2rr4hmI:Ay1NzKZeqpR0SnbP2PGB
Malware Config
Extracted
darkcomet
Bomb
ameedo.no-ip.biz:1604
DC_MUTEX-QP7H2Q0
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
JzBevPC10jts
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
9bb658f3ade60f573cadeab503e8d985_JaffaCakes118
-
Size
237KB
-
MD5
9bb658f3ade60f573cadeab503e8d985
-
SHA1
55b9236d7be91fe79efeabe22e7e4c8fc6732999
-
SHA256
757ba0d84ebc934a27d3a3f153269e3830274309d459d9ca05862b38e8045677
-
SHA512
3b43e0af7436b4288ad6fe9c2a9764d2418d95bb1346905aec72876f9cad4ac76cc8edd8e8f5dfe2db67578240dfd25a8356cfcf10fcc99be734696d152cec75
-
SSDEEP
6144:Py22ByAreNz+rtZOLqJ5Z7Ro94BDLbP2rr4hmI:Ay1NzKZeqpR0SnbP2PGB
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3