General
-
Target
JaffaCakes118_0270f54ccf140ffa72680fbb4c210946
-
Size
690KB
-
Sample
250219-amfmtsspar
-
MD5
0270f54ccf140ffa72680fbb4c210946
-
SHA1
6c2cd856735734986e4529e41d409f26dae7dfc6
-
SHA256
3e42074d54adf2fd9f3e094b3ec8f6435de03f9971d8a10aef2011a92f5e4d9b
-
SHA512
44c4921b99f727e74ef41f0f27bff84b7e282adc84b5645cddcf778788c9f00e97714ce506dbf0515498c3b63b42ce61fe0e2b3e9e1bea68653027847c4b2561
-
SSDEEP
12288:p9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hyst:zZ1xuVVjfFoynPaVBUR8f+kN10EBRt
Malware Config
Extracted
darkcomet
ID1
live1.no-ip.org:1604
192.168.1.113:1243
live1.no-ip.org:1243
192.168.1.113:1604
5.19.149.204:1243
5.19.149.204:1604
DC_MUTEX-NE59TV7
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
bReww4C9kylE
-
install
true
-
offline_keylogger
true
-
password
devil666
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
JaffaCakes118_0270f54ccf140ffa72680fbb4c210946
-
Size
690KB
-
MD5
0270f54ccf140ffa72680fbb4c210946
-
SHA1
6c2cd856735734986e4529e41d409f26dae7dfc6
-
SHA256
3e42074d54adf2fd9f3e094b3ec8f6435de03f9971d8a10aef2011a92f5e4d9b
-
SHA512
44c4921b99f727e74ef41f0f27bff84b7e282adc84b5645cddcf778788c9f00e97714ce506dbf0515498c3b63b42ce61fe0e2b3e9e1bea68653027847c4b2561
-
SSDEEP
12288:p9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hyst:zZ1xuVVjfFoynPaVBUR8f+kN10EBRt
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1