General
-
Target
9cc514035fa92be0dbc399cdf3871180_JaffaCakes118
-
Size
658KB
-
Sample
241125-vhqmfswqhv
-
MD5
9cc514035fa92be0dbc399cdf3871180
-
SHA1
f5d1e39f30a690039ea2cc5eff294ca05a4849f2
-
SHA256
c2d70852c9ea40063f86b128b28cd62b16612ee6edd9bf254ae27d0ee67663e4
-
SHA512
610c665b713bb112640051bafd0ed7bdab29d9c365c46a7723fbb7231d1f8678972dcd238b0a610b456cee8b41eefd6bb57e366fbce874a05bb2f8eff3c0d088
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hK:KZ1xuVVjfFoynPaVBUR8f+kN10EBo
Malware Config
Extracted
darkcomet
Nigger
xxcam950xx.no-ip.biz:1604
192.168.1.64:1604
127.0.0.1:1604
DC_MUTEX-TQS9RNP
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Vt4dg9mRjUlH
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
9cc514035fa92be0dbc399cdf3871180_JaffaCakes118
-
Size
658KB
-
MD5
9cc514035fa92be0dbc399cdf3871180
-
SHA1
f5d1e39f30a690039ea2cc5eff294ca05a4849f2
-
SHA256
c2d70852c9ea40063f86b128b28cd62b16612ee6edd9bf254ae27d0ee67663e4
-
SHA512
610c665b713bb112640051bafd0ed7bdab29d9c365c46a7723fbb7231d1f8678972dcd238b0a610b456cee8b41eefd6bb57e366fbce874a05bb2f8eff3c0d088
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hK:KZ1xuVVjfFoynPaVBUR8f+kN10EBo
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1