General
-
Target
eae8a05fffd6b4114e5d70c1b4535020_JaffaCakes118
-
Size
923KB
-
Sample
241213-lqfb1strdv
-
MD5
eae8a05fffd6b4114e5d70c1b4535020
-
SHA1
39bb907ee415df3bd1a880c5ffeddb739b059d79
-
SHA256
627665c1194f64deddc23172808affe3be158d789fadd21a578aacf365e95c00
-
SHA512
a0a8a557e0c44d53deefeb83d5b3d0e7834e3b2219ec06de11062dced32e29cf4fc2e24c97689e1b8e823ed85dfae054157d496e219835a87de88ba395cc9b6d
-
SSDEEP
24576:Ro2zJs0c7HR29rZXig2kNIKAmvC+Cq5j:Hco9ggFN7L
Malware Config
Extracted
darkcomet
Guest16_min
quenlol.no-ip.biz:127
DCMIN_MUTEX-PRAANXA
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
JFuSyZ60x02G
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Targets
-
-
Target
eae8a05fffd6b4114e5d70c1b4535020_JaffaCakes118
-
Size
923KB
-
MD5
eae8a05fffd6b4114e5d70c1b4535020
-
SHA1
39bb907ee415df3bd1a880c5ffeddb739b059d79
-
SHA256
627665c1194f64deddc23172808affe3be158d789fadd21a578aacf365e95c00
-
SHA512
a0a8a557e0c44d53deefeb83d5b3d0e7834e3b2219ec06de11062dced32e29cf4fc2e24c97689e1b8e823ed85dfae054157d496e219835a87de88ba395cc9b6d
-
SSDEEP
24576:Ro2zJs0c7HR29rZXig2kNIKAmvC+Cq5j:Hco9ggFN7L
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1