General
-
Target
f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118
-
Size
661KB
-
Sample
241216-mpfrtswrez
-
MD5
f89e6abcba5b9946e47da02cee2ced9a
-
SHA1
0d8f39548a5eab3f0e1e665575a7b3d54e78edb1
-
SHA256
93293359fafc0adf8d6c70211674401c4ea799b96d516ac9bc7e9aa694f72f90
-
SHA512
0a5bf0e7b729f06c88cf65a7a66c38e39503cad4fedb750e993bba9fadd4d31838edcdee31b8f945d12d70af50e993ef41a36a40a33370642503b60e54a9b86c
-
SSDEEP
12288:E9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hu:IZ1xuVVjfFoynPaVBUR8f+kN10EBw
Malware Config
Extracted
darkcomet
Guest16
ashkar.no-ip.org:1604
DC_MUTEX-G0FAELX
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ywEaUnUCbAtD
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118
-
Size
661KB
-
MD5
f89e6abcba5b9946e47da02cee2ced9a
-
SHA1
0d8f39548a5eab3f0e1e665575a7b3d54e78edb1
-
SHA256
93293359fafc0adf8d6c70211674401c4ea799b96d516ac9bc7e9aa694f72f90
-
SHA512
0a5bf0e7b729f06c88cf65a7a66c38e39503cad4fedb750e993bba9fadd4d31838edcdee31b8f945d12d70af50e993ef41a36a40a33370642503b60e54a9b86c
-
SSDEEP
12288:E9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hu:IZ1xuVVjfFoynPaVBUR8f+kN10EBw
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2