General
-
Target
JaffaCakes118_243ce1eafb35b8c75c92dfc17c9cdbf7
-
Size
1.9MB
-
Sample
250226-hv5kxsxkv9
-
MD5
243ce1eafb35b8c75c92dfc17c9cdbf7
-
SHA1
2184158130338212f663c11b7208458c2b387f7b
-
SHA256
295cf4a560b9873306601baf3ed4002dac46064afea62aa4e3471896d930051c
-
SHA512
bb647db5bbd028bef7c16bde3ba2bf23870849bcb6a5de6d4d765d65e576103945c5814af03bf60454523f2128beefc09c2f9d88fe37c07d585fcae65bb9591c
-
SSDEEP
49152:+JZoQrbTFZY1iab4bm1GUkL76vfpvmtdcP:+trbTA1K5L76wtdcP
Malware Config
Extracted
darkcomet
Cats
braxidy.no-ip.org:200
DC_MUTEX-QRHR0FX
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ABQgZgW0mMp9
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
JaffaCakes118_243ce1eafb35b8c75c92dfc17c9cdbf7
-
Size
1.9MB
-
MD5
243ce1eafb35b8c75c92dfc17c9cdbf7
-
SHA1
2184158130338212f663c11b7208458c2b387f7b
-
SHA256
295cf4a560b9873306601baf3ed4002dac46064afea62aa4e3471896d930051c
-
SHA512
bb647db5bbd028bef7c16bde3ba2bf23870849bcb6a5de6d4d765d65e576103945c5814af03bf60454523f2128beefc09c2f9d88fe37c07d585fcae65bb9591c
-
SSDEEP
49152:+JZoQrbTFZY1iab4bm1GUkL76vfpvmtdcP:+trbTA1K5L76wtdcP
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1