General
-
Target
JaffaCakes118_68e1b8ceb22a545ed3e41b85f64bc700
-
Size
784KB
-
Sample
250102-3hbsassrhr
-
MD5
68e1b8ceb22a545ed3e41b85f64bc700
-
SHA1
bde7f52c475ea091b658cd98d14395c6c5004aea
-
SHA256
099298eb0d27113f15636f07de5e7ab7995d432b928ef22a54e2c204117c4be4
-
SHA512
178422936dde056dc5f9b894fe6b4f83ecb02441940ef5b9d29cdc5c8f06cf669dd633abf60bd2c5360dcab247fa2232ef2be887b4d173509f732407cebf786b
-
SSDEEP
24576:/knfpDJAW4RhBxzjMSgeCugPGFEOfvfwXtUKCsiXS:/AfZSlR1j3geCudEO/wmS
Malware Config
Extracted
darkcomet
HackeD
hackos.no-ip.biz:1604
DC_MUTEX-W73HHNJ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
sBdcyo0RLfX2
-
install
true
-
offline_keylogger
true
-
password
koperek
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
Steam Money Exploit.exe
-
Size
875KB
-
MD5
2bb231e6b395b212b61e4d9812a96c68
-
SHA1
64613e8f67107ac12fbde10d3a3e061d93ed8759
-
SHA256
ca876f0d6b688d44f6cf155996ad3353b200c9cf6951c301a13b8e85f668885e
-
SHA512
fb722d7a91e4bb6567febda9e1711a22c19644e9758fef40941b1f0fd3817b7e1888fed0189804f4c324182ac8b716b35b05ff78892f74e504be08ca0a8da6d1
-
SSDEEP
12288:oGWkDv2vfM2Ag6rh4fR0VZmVYDskAk2UNNzwISHpsNo:tWkDeDAgmhYShrHp3
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1