General
-
Target
JaffaCakes118_79df81ab84bd6047be9510c04439c600
-
Size
658KB
-
Sample
250104-qgfzeatjbj
-
MD5
79df81ab84bd6047be9510c04439c600
-
SHA1
8eff50b6d3ef7e06f4e1ff0ef48ebace301eb8f0
-
SHA256
6fc9cccdabc82d8ead2f3f4e912212a2c198fbb58649251a8bf3ca1a1a743bb2
-
SHA512
c60bb44741ff712dc32f28615560cf27b8fe6468bf01dcb5d9f92d357c1fc79c5949b3cfad96dc5e4a2902bbf689d74c8b63b168c9dca09bbfa7685d7d3f3c56
-
SSDEEP
12288:K9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/ho:GZ1xuVVjfFoynPaVBUR8f+kN10EBi
Malware Config
Extracted
darkcomet
RAT
dcratk.zapto.org:1604
DCMIN_MUTEX-D42GK0L
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
Pxh91wu5UxeB
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Host
Targets
-
-
Target
JaffaCakes118_79df81ab84bd6047be9510c04439c600
-
Size
658KB
-
MD5
79df81ab84bd6047be9510c04439c600
-
SHA1
8eff50b6d3ef7e06f4e1ff0ef48ebace301eb8f0
-
SHA256
6fc9cccdabc82d8ead2f3f4e912212a2c198fbb58649251a8bf3ca1a1a743bb2
-
SHA512
c60bb44741ff712dc32f28615560cf27b8fe6468bf01dcb5d9f92d357c1fc79c5949b3cfad96dc5e4a2902bbf689d74c8b63b168c9dca09bbfa7685d7d3f3c56
-
SSDEEP
12288:K9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/ho:GZ1xuVVjfFoynPaVBUR8f+kN10EBi
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1