General
-
Target
JaffaCakes118_22d92c1060720bab5fdd04898b239ab0
-
Size
982KB
-
Sample
250225-zp85lawjz2
-
MD5
22d92c1060720bab5fdd04898b239ab0
-
SHA1
3b997840f4982df7b8bedb61cc63f4b8a09f0b06
-
SHA256
868be528642d4857e99869d8ba3cfaa9981c416645592af7f4d606401c78ebf9
-
SHA512
e656449f6df9a791623f3e9a85d8c481007c6a7a940b6046553761d26ef3c5672b84f6548a94c553c7c23db540afd2c83b42bdfc518275eedd76fb8a7a871ac4
-
SSDEEP
24576:8pc0GFdjR9EBn2zvhnD4kt/VIvTfZb6ma/A0gGBg:8pwdF9EBn2zZnRTkx/Ign
Malware Config
Extracted
darkcomet
Guest16
pandoramini.codns.com:5003
DC_MUTEX-U9GTCBC
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
7xoM$dX09LLk
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
JaffaCakes118_22d92c1060720bab5fdd04898b239ab0
-
Size
982KB
-
MD5
22d92c1060720bab5fdd04898b239ab0
-
SHA1
3b997840f4982df7b8bedb61cc63f4b8a09f0b06
-
SHA256
868be528642d4857e99869d8ba3cfaa9981c416645592af7f4d606401c78ebf9
-
SHA512
e656449f6df9a791623f3e9a85d8c481007c6a7a940b6046553761d26ef3c5672b84f6548a94c553c7c23db540afd2c83b42bdfc518275eedd76fb8a7a871ac4
-
SSDEEP
24576:8pc0GFdjR9EBn2zvhnD4kt/VIvTfZb6ma/A0gGBg:8pwdF9EBn2zZnRTkx/Ign
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1