General
-
Target
JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90
-
Size
456KB
-
Sample
250103-cbbkvaxneq
-
MD5
698442d3c6267aafd2a2d6157bce2a90
-
SHA1
7586cb460785076c24be81aa3e8d7928c1d806c4
-
SHA256
c4cf9bb4bd8f7f55d1ce288d7dede57fcf6e048e38d47fa00661dade54b9526f
-
SHA512
a652379f986e75d09d9aa8bc1f71be2cc672ec256fc8c537e47d69fa69c94d155111f8e50543a9728f7eca91887bebd18bccc77e7e74332dce0f1a1c01025e3e
-
SSDEEP
6144:9gHNSzfilEOBuc37a8IaVWJk+1lFP+IjwVAItNZWcv7DVNDrZ+CtJSn8bp26:9ga2Ln3nIsWJk+xlwVAItNZ9vLuK
Malware Config
Extracted
darkcomet
Clients
donbiz.no-ip.biz:1604
DC_MUTEX-B5WXAJQ
-
gencode
wwPkqHq7l2zl
-
install
false
-
offline_keylogger
true
-
persistence
false
Targets
-
-
Target
JaffaCakes118_698442d3c6267aafd2a2d6157bce2a90
-
Size
456KB
-
MD5
698442d3c6267aafd2a2d6157bce2a90
-
SHA1
7586cb460785076c24be81aa3e8d7928c1d806c4
-
SHA256
c4cf9bb4bd8f7f55d1ce288d7dede57fcf6e048e38d47fa00661dade54b9526f
-
SHA512
a652379f986e75d09d9aa8bc1f71be2cc672ec256fc8c537e47d69fa69c94d155111f8e50543a9728f7eca91887bebd18bccc77e7e74332dce0f1a1c01025e3e
-
SSDEEP
6144:9gHNSzfilEOBuc37a8IaVWJk+1lFP+IjwVAItNZWcv7DVNDrZ+CtJSn8bp26:9ga2Ln3nIsWJk+xlwVAItNZ9vLuK
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1