General
-
Target
9f9720cc215691347ae11183460fd813_JaffaCakes118
-
Size
746KB
-
Sample
241126-d4nasaslet
-
MD5
9f9720cc215691347ae11183460fd813
-
SHA1
e59697f497d394253ad633c033bc17a44c5335fb
-
SHA256
c71334b23e4e19c3160e549431ac4ff6b696b1dc114364e5a1bad5c6190d1c44
-
SHA512
d056b0ad70630dfacf7bd23633b2b2663403b4f3ac671113a8bc5d204ce1595093f9c8cff546213ef4b5a4154ca0e403b88496617cd97e57c73e3a2c3b19bc22
-
SSDEEP
12288:H6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfhYqMd0QZh9u:aAmBpVKHu0Mu9Xo20VGLVP5YD0QZh9u
Malware Config
Targets
-
-
Target
9f9720cc215691347ae11183460fd813_JaffaCakes118
-
Size
746KB
-
MD5
9f9720cc215691347ae11183460fd813
-
SHA1
e59697f497d394253ad633c033bc17a44c5335fb
-
SHA256
c71334b23e4e19c3160e549431ac4ff6b696b1dc114364e5a1bad5c6190d1c44
-
SHA512
d056b0ad70630dfacf7bd23633b2b2663403b4f3ac671113a8bc5d204ce1595093f9c8cff546213ef4b5a4154ca0e403b88496617cd97e57c73e3a2c3b19bc22
-
SSDEEP
12288:H6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfhYqMd0QZh9u:aAmBpVKHu0Mu9Xo20VGLVP5YD0QZh9u
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Drops file in Drivers directory
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2