General
-
Target
JaffaCakes118_66c8b6e79111811bb5d1a6347ea5a2c7
-
Size
1.0MB
-
Sample
250102-vtxj5syraw
-
MD5
66c8b6e79111811bb5d1a6347ea5a2c7
-
SHA1
f776ce50d7276e7d853237be8c461630642d2492
-
SHA256
80dd309638e1ab53050b7d313ef34e0591095c0f873366c8343f07e481aa51ed
-
SHA512
55c94d0c826b2e0144a6372ad9da0416602bc1477f2532683f3d2aee8133783393f30d146e26e8be44a813ea4a0544e59bf4d792096d953aa7a550bce74400f6
-
SSDEEP
24576:qMwVWG/If9sOc3/gqNx5FGGwAKSFZzr5APUTF/gOF:q5W5u5FpTKIB5A8R
Malware Config
Extracted
darkcomet
Skynet
spicial-k.no-ip.biz:1604
DC_MUTEX-Q8PJ2G1
-
InstallPath
MSDCSC\Skynet123.exe
-
gencode
YWGkPfoaNlzg
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
JaffaCakes118_66c8b6e79111811bb5d1a6347ea5a2c7
-
Size
1.0MB
-
MD5
66c8b6e79111811bb5d1a6347ea5a2c7
-
SHA1
f776ce50d7276e7d853237be8c461630642d2492
-
SHA256
80dd309638e1ab53050b7d313ef34e0591095c0f873366c8343f07e481aa51ed
-
SHA512
55c94d0c826b2e0144a6372ad9da0416602bc1477f2532683f3d2aee8133783393f30d146e26e8be44a813ea4a0544e59bf4d792096d953aa7a550bce74400f6
-
SSDEEP
24576:qMwVWG/If9sOc3/gqNx5FGGwAKSFZzr5APUTF/gOF:q5W5u5FpTKIB5A8R
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1