General
-
Target
JaffaCakes118_d722bc17e3db64b1646e84d80f4d6426
-
Size
828KB
-
Sample
250210-et2abszqhm
-
MD5
d722bc17e3db64b1646e84d80f4d6426
-
SHA1
67ed8eb49b7900319444d050cb081b0c7e8cd1d6
-
SHA256
0d14c7464ae4d5cf9fc9f235e17a781025564db99b2a086b633c4f5dbbcd5867
-
SHA512
b03d35e5d7ab11a0958b8f9923fb5b4305c0a7a9448c53e7972717a0f725274efb86e73608785509f9df8e029e98cde38e70b9f50951485901b011c021cf71cd
-
SSDEEP
12288:ml2hWAzPw3Ds410wLwxKOzJvQs5j1gY64NHvH0yOjTQ:vID0wDwvHx1gYFNHv0Bj0
Malware Config
Extracted
darkcomet
Guest16
komberss.no-ip.biz:81
DC_MUTEX-A7KBSJC
-
InstallPath
Windupdt\winupdate.exe
-
gencode
LnfXWy�k8J1%
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
winupdater
Targets
-
-
Target
JaffaCakes118_d722bc17e3db64b1646e84d80f4d6426
-
Size
828KB
-
MD5
d722bc17e3db64b1646e84d80f4d6426
-
SHA1
67ed8eb49b7900319444d050cb081b0c7e8cd1d6
-
SHA256
0d14c7464ae4d5cf9fc9f235e17a781025564db99b2a086b633c4f5dbbcd5867
-
SHA512
b03d35e5d7ab11a0958b8f9923fb5b4305c0a7a9448c53e7972717a0f725274efb86e73608785509f9df8e029e98cde38e70b9f50951485901b011c021cf71cd
-
SSDEEP
12288:ml2hWAzPw3Ds410wLwxKOzJvQs5j1gY64NHvH0yOjTQ:vID0wDwvHx1gYFNHv0Bj0
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1