General
-
Target
JaffaCakes118_6aafe9c297eadac877c46dcecf1cc5a0
-
Size
986KB
-
Sample
250103-gwmaasskbz
-
MD5
6aafe9c297eadac877c46dcecf1cc5a0
-
SHA1
eafdf7853390493716a194fea4afe361c2c39525
-
SHA256
dd854470625e083c3c2c03f54b0298d9f1afdbf2b6ada4eba2cf75178a33ec48
-
SHA512
2756383c88a2ca67d4bcf958d4d8c22e29d62d68d2d30cabe6a18b9f5d8bfa729d0b967bf00df1346bfaea003547aa63d0a0aa56be7696220a225e45fcb291c5
-
SSDEEP
24576:kLXM6FshSIugg9ct7ebK90WGD5dALXM6FshSII:kLXM6FshSIuBiUJWGD5dALXM6FshSII
Malware Config
Extracted
darkcomet
freddox
freddox.no-ip.info:1604
DC_MUTEX-G24FNBR
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Q2dwRiSC77Ri
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winlogon
Extracted
darkcomet
Guest16
flewsetup.no-ip.org:1337
DC_MUTEX-Q4E6AA1
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
c8QGBueWDoVg
-
install
true
-
offline_keylogger
true
-
password
memorylane12
-
persistence
true
-
reg_key
MicroUpdate
Extracted
darkcomet
mikebail
99.235.66.71:1604
DCMIN_MUTEX-XRCKYMB
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
ho2A6rzZ04Hk
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Targets
-
-
Target
yara_detected/047.exe
-
Size
658KB
-
MD5
c4f06737fcaa716b4ec8c5c77bd77122
-
SHA1
144c8605ab71e8f81caac744febc9f441a5fb75b
-
SHA256
a0f93fe83d4863032eed437e0e6a86ddd8d5987e12b714232df192bfbb6c04fa
-
SHA512
27ffe180e83808cbc4260044966715e1b3cbb0278840b274739fed6ac49f55eb09e841eb5392a0736c0e232729deb24e7d74ce430d11ee475801faec2a739d01
-
SSDEEP
12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hq:eZ1xuVVjfFoynPaVBUR8f+kN10EBk
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
yara_detected/052.exe
-
Size
658KB
-
MD5
1e4cdaa0c4bf86ac72df643b9018b8c3
-
SHA1
917bf5cef2a0b9271bff23697448e8ee8053e61c
-
SHA256
3993c59cfb6caa6deea45db128f89f8753ab4f6bf1354d1390a577a9ddc2fe2d
-
SHA512
acfe4d64631ddcd58cf7bfadc48c01ac692251fcfc2158156531d8f5d7568f4997b460a47f2ce14dea991d5f2e5fb3a7a618d44a3106053405dc4915f292fed0
-
SSDEEP
12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hU:qZ1xuVVjfFoynPaVBUR8f+kN10EB2
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
yara_detected/092.exe
-
Size
658KB
-
MD5
91478eaa8eec1087df8b4a7650cbbd5c
-
SHA1
cbc5c097c8a254232aac8b130798aac322524085
-
SHA256
203411ae6e30fd197ed1f3ae30736ebffdbf79bc2d9a083bf41e08501d7bebe1
-
SHA512
9b4bbc8275b3c9d0604272a1d94cf8adec0be70120ff039af363a307271881384addf481c9a6c667354a36cb368e369680d0db245d3b4f86f178f9eb5e27cdb7
-
SSDEEP
12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hs:eZ1xuVVjfFoynPaVBUR8f+kN10EBi
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1