General
-
Target
JaffaCakes118_06f81690ca4612578c3523a14bb3e842
-
Size
690KB
-
Sample
250219-wtlcjswkg1
-
MD5
06f81690ca4612578c3523a14bb3e842
-
SHA1
f1eb270c75c4ebe65972ccb708fe65b6e7db69fe
-
SHA256
2de7bfd75351415aebda6533b05658cd44e3c98a0cf0bcadf0b550c89eced90e
-
SHA512
8e84676fe00baebbcc5ece2a303a2bc674429dfb383951c5ec42cdf12ef6f4523444394183f2a6edbb474766984d17d06d814c3d7940391a2ffdc298892a18f6
-
SSDEEP
12288:F9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hVz:PZ1xuVVjfFoynPaVBUR8f+kN10EBL
Malware Config
Extracted
darkcomet
Guest16
dcrat.no-ip.org:200
DC_MUTEX-A6U8G3K
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
USzm5PSxo01Z
-
install
true
-
offline_keylogger
true
-
password
0123456789
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
JaffaCakes118_06f81690ca4612578c3523a14bb3e842
-
Size
690KB
-
MD5
06f81690ca4612578c3523a14bb3e842
-
SHA1
f1eb270c75c4ebe65972ccb708fe65b6e7db69fe
-
SHA256
2de7bfd75351415aebda6533b05658cd44e3c98a0cf0bcadf0b550c89eced90e
-
SHA512
8e84676fe00baebbcc5ece2a303a2bc674429dfb383951c5ec42cdf12ef6f4523444394183f2a6edbb474766984d17d06d814c3d7940391a2ffdc298892a18f6
-
SSDEEP
12288:F9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hVz:PZ1xuVVjfFoynPaVBUR8f+kN10EBL
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1