General
-
Target
JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e
-
Size
3.0MB
-
Sample
250207-qvadsasnby
-
MD5
b78e98368bf87ce58b2aae9a26e1ac3e
-
SHA1
67a746bed23cb4fc97d8f2a542b78bf1ef3a539f
-
SHA256
2eb3ac2d64ce7ccf86f15f751093f6a3d2b9b83d637acba8d95c45ea47cc97dc
-
SHA512
e4249cd918a82a01896f31f7fb1958ce5539d5466e46cf21f7ad29d95b5de23e04d5f517f417fbc03ae8acbc0d5a8b7c0bfa9c1a19996fb569bfe52e8e12b7bf
-
SSDEEP
49152:0Dm5cit6FHMoDUM5n62s1JHy48m3KCnCc7NieDm5cit6FHMoDUM5n62s1J:
Malware Config
Extracted
darkcomet
Guest16
rattcody.zapto.org:20111
codylegge.zapto.org:20111
codylegge.zapto.org:1064
codylegge.zapto.org:1604
192.168.2.11:20111
142.162.41.160:20111
127.0.0.1:20111
DC_MUTEX-GK1MTGJ
-
gencode
6wlfzgB-CUtT
-
install
false
-
offline_keylogger
true
-
persistence
false
Targets
-
-
Target
JaffaCakes118_b78e98368bf87ce58b2aae9a26e1ac3e
-
Size
3.0MB
-
MD5
b78e98368bf87ce58b2aae9a26e1ac3e
-
SHA1
67a746bed23cb4fc97d8f2a542b78bf1ef3a539f
-
SHA256
2eb3ac2d64ce7ccf86f15f751093f6a3d2b9b83d637acba8d95c45ea47cc97dc
-
SHA512
e4249cd918a82a01896f31f7fb1958ce5539d5466e46cf21f7ad29d95b5de23e04d5f517f417fbc03ae8acbc0d5a8b7c0bfa9c1a19996fb569bfe52e8e12b7bf
-
SSDEEP
49152:0Dm5cit6FHMoDUM5n62s1JHy48m3KCnCc7NieDm5cit6FHMoDUM5n62s1J:
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Windows security bypass
-
Blocklisted process makes network request
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Windows security modification
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4