General
-
Target
JaffaCakes118_7d415b1f8e10719d44d228cabdab9360
-
Size
359KB
-
Sample
250104-3qw37stlcz
-
MD5
7d415b1f8e10719d44d228cabdab9360
-
SHA1
0b6768d92d14d1af70f97559e483aa6715222751
-
SHA256
921b14eb6a6c544f168408805632bb83da452fe65282f4ec3ca5a6a460fc7735
-
SHA512
7c8c5132a29bbe6c816ff3dee9ee07c686ef2518ba7cb0ed66520be8d272e7330a4c1eab33ba7db65796243b70d6e765b375f457fb1210688c1b1be41da6bf4a
-
SSDEEP
6144:huIBYvmvNEUL2ddhHzioNlUUAvu6gkjm9P7fPJ8SHDtQ5u7r5sX9i7CGY71X8S:YQWqNE9hTzUu6VKHSSHD+ylsNiuT71n
Malware Config
Extracted
darkcomet
Guest16
captaindrain007.no-ip.biz:1604
DC_MUTEX-59V53UU
-
InstallPath
Sys32.exe
-
gencode
kectiaqbSr6n
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
System32.exe
Targets
-
-
Target
SteamGameAdder V9.1.0.exe
-
Size
756KB
-
MD5
0f472613d60ab2e381d7ce1efec9f0a0
-
SHA1
ee965531a2352e0c32385069cfd5135a0401044c
-
SHA256
55b4d7060a2a189fbf0311c52772c5fff93ebe80ddf02ed9f29e24ae89259585
-
SHA512
621f0226378aca81706ed2168124a557b4a081066f39bfa8d8d151aa3e03421c9a8943d7f7b48d20aa7736f67ea552cbf53d307dc496c1a5d180c0f4f4d39152
-
SSDEEP
12288:z9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/htsvv6:9Z1xuVVjfFoynPaVBUR8f+kN10EBUvv6
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2