General
-
Target
fe20fabfd161f2b0626f59f87668181c_JaffaCakes118
-
Size
795KB
-
Sample
241219-c9ep6avlbr
-
MD5
fe20fabfd161f2b0626f59f87668181c
-
SHA1
8e11a8cfae176127eade4d6067e97ecd64328e17
-
SHA256
15430685b859b3a37e6fe88dc5ea8a0e2c373ebf3e07501e9bbd8bebd800305c
-
SHA512
cd36eff3a23da54105c383e0abfa8cd937aa5796347b83c6c9e45b5c002309c3eac2d616063454949ce1d3693949123c4e0978027e4c505cf93400e6f2388d77
-
SSDEEP
24576:jnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfprz4Mduc+:zELbVMTrOq494Mq
Malware Config
Extracted
darkcomet
FUD
m419.zapto.org:1604
DC_MUTEX-6Q5QX3J
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
cBxUYTZjN6L3
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
fe20fabfd161f2b0626f59f87668181c_JaffaCakes118
-
Size
795KB
-
MD5
fe20fabfd161f2b0626f59f87668181c
-
SHA1
8e11a8cfae176127eade4d6067e97ecd64328e17
-
SHA256
15430685b859b3a37e6fe88dc5ea8a0e2c373ebf3e07501e9bbd8bebd800305c
-
SHA512
cd36eff3a23da54105c383e0abfa8cd937aa5796347b83c6c9e45b5c002309c3eac2d616063454949ce1d3693949123c4e0978027e4c505cf93400e6f2388d77
-
SSDEEP
24576:jnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfprz4Mduc+:zELbVMTrOq494Mq
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1