General
-
Target
JaffaCakes118_23de3272cd0d500bf30c60ceaf052263
-
Size
802KB
-
Sample
250226-fww9ts1pv5
-
MD5
23de3272cd0d500bf30c60ceaf052263
-
SHA1
95e2fc70e1e4460b8c4d3ce6d88c32003ae88ad4
-
SHA256
6ab8ee60f32be9888a13765e4b15f88e60ed5a5fe0e783989cad192952c5f3ae
-
SHA512
aedb4e0596230f92197436f9e97b978594e579dfa3337917da335c4e8e1d4700073329857ca072a4f05dea6e81a95631abe29759b857b447c9149fdaa633a305
-
SSDEEP
24576:HdlTX3yCFJymZYnVrG2cQy6VjJYWw70+/:bTX3yC3ZYnVFzox/
Malware Config
Extracted
darkcomet
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Extracted
darkcomet
Guest16
h4xinc70.no-ip.org:20112
DC_MUTEX-FAMJLZW
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
$i$HD$YCZ3RG
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
JaffaCakes118_23de3272cd0d500bf30c60ceaf052263
-
Size
802KB
-
MD5
23de3272cd0d500bf30c60ceaf052263
-
SHA1
95e2fc70e1e4460b8c4d3ce6d88c32003ae88ad4
-
SHA256
6ab8ee60f32be9888a13765e4b15f88e60ed5a5fe0e783989cad192952c5f3ae
-
SHA512
aedb4e0596230f92197436f9e97b978594e579dfa3337917da335c4e8e1d4700073329857ca072a4f05dea6e81a95631abe29759b857b447c9149fdaa633a305
-
SSDEEP
24576:HdlTX3yCFJymZYnVrG2cQy6VjJYWw70+/:bTX3yC3ZYnVFzox/
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1