General
-
Target
JaffaCakes118_07bb3b2e7cf89aba283ffd7af3daba65b50fcd620a25fb945cc85e7d64b9094b
-
Size
343KB
-
Sample
241230-aa5fes1lh1
-
MD5
a6a9bda5e3b1306010c80443e4e21786
-
SHA1
ff6faf3d2dc091a2806f311b5828cb48ee9c56b8
-
SHA256
07bb3b2e7cf89aba283ffd7af3daba65b50fcd620a25fb945cc85e7d64b9094b
-
SHA512
61789a5011e009aefe89a17d165edf85637a9466306a7c509f700844f8b3884356dd86f1ca15f1f97c68bc2754625490de32f126f41eb9562b3be6b43eb937d2
-
SSDEEP
6144:vRH5E7pOgomMgUU9G/PL3iua13cmnPjivF3U6sjywsCh7XYgaauD2ZkIIyWAoax6:N5E7pO8BUUIj35rmPmvmly27ohyZswoZ
Malware Config
Targets
-
-
Target
xcgb.exe
-
Size
745KB
-
MD5
c0e4f49d4ea30fe8e04fdba223b44f24
-
SHA1
42d85163e18f35fd435b5f96a0bce10b8336b440
-
SHA256
230351e5b4ee08a6583797d942967b059aec63c32eb26427f45d4ff64701b3fe
-
SHA512
127923ce8310070ef1083b66f92ad5b7faeabb29f2540554fd833e6132d85478f55415344127760f04fe44a7ef8a0acd243d1dec5279510567a4a64777911abc
-
SSDEEP
12288:w8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixB:pUKoN0bUxgGa/pfBHDb+y1HgZ
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2