General
-
Target
e761ad70be62309281d1edf463e8c0e4_JaffaCakes118
-
Size
2.0MB
-
Sample
241212-vhr6aazrdx
-
MD5
e761ad70be62309281d1edf463e8c0e4
-
SHA1
6003a7704f131074cb9a8162c4cfdf979ce5be8f
-
SHA256
343aaf3307a88ac8be9ebc8a3562905d7c34e3dadc477d7557b00f06c3904e7c
-
SHA512
068bed4b6e6b7ef8a5f9ba596b18f5f3a76949961e9994e488109fe2266ddcf831240f72f510bf98cbc38653584c8682ed272cd72819bd714dd947727e0707c7
-
SSDEEP
49152:1rLsrRotIig7rLaKXrrf7mX8rptlyXFwtAamqRkWvazk:1rGL3LZPaXwt6ExAFzk
Malware Config
Extracted
darkcomet
JDB
wonanwad.no-ip.biz:1604
DCMIN_MUTEX-6X4A2HS
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
NMt8acKfFNq0
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Targets
-
-
Target
e761ad70be62309281d1edf463e8c0e4_JaffaCakes118
-
Size
2.0MB
-
MD5
e761ad70be62309281d1edf463e8c0e4
-
SHA1
6003a7704f131074cb9a8162c4cfdf979ce5be8f
-
SHA256
343aaf3307a88ac8be9ebc8a3562905d7c34e3dadc477d7557b00f06c3904e7c
-
SHA512
068bed4b6e6b7ef8a5f9ba596b18f5f3a76949961e9994e488109fe2266ddcf831240f72f510bf98cbc38653584c8682ed272cd72819bd714dd947727e0707c7
-
SSDEEP
49152:1rLsrRotIig7rLaKXrrf7mX8rptlyXFwtAamqRkWvazk:1rGL3LZPaXwt6ExAFzk
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1