General
-
Target
JaffaCakes118_25d94481f4967537d4b75902827e1948
-
Size
1.1MB
-
Sample
250226-pcm2gsyrx6
-
MD5
25d94481f4967537d4b75902827e1948
-
SHA1
71f72e4679f9918c506b6479870ebf5701d418dc
-
SHA256
69ec29e540120ba091110e2ff51bddd3b67c5de8eb466959d2bb24316f5e813c
-
SHA512
608af79380dc6bfb0c42ab07f99346ca0fc1a2ff338382b9ab0de9b359e0165720f08b0e81538eacd5a0a97fef968994253f1f3fdc88ad20cd63fcb11a0cf2ca
-
SSDEEP
12288:JMmG1c2JW3zHBkdTYHvCicPmvpItUBLZsJ7KLctBhhoeThzvF1pVQ2KO43s9ub45:JCZV+jBItRTVF1dNqhH7jmbyU+ergU
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-46MKRG6
-
InstallPath
Windupdt\winupdate.exe
-
gencode
SsSbby=wZDXq
-
install
true
-
offline_keylogger
true
-
password
dreamh4ck
-
persistence
true
-
reg_key
winupdater
Extracted
darkcomet
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Targets
-
-
Target
JaffaCakes118_25d94481f4967537d4b75902827e1948
-
Size
1.1MB
-
MD5
25d94481f4967537d4b75902827e1948
-
SHA1
71f72e4679f9918c506b6479870ebf5701d418dc
-
SHA256
69ec29e540120ba091110e2ff51bddd3b67c5de8eb466959d2bb24316f5e813c
-
SHA512
608af79380dc6bfb0c42ab07f99346ca0fc1a2ff338382b9ab0de9b359e0165720f08b0e81538eacd5a0a97fef968994253f1f3fdc88ad20cd63fcb11a0cf2ca
-
SSDEEP
12288:JMmG1c2JW3zHBkdTYHvCicPmvpItUBLZsJ7KLctBhhoeThzvF1pVQ2KO43s9ub45:JCZV+jBItRTVF1dNqhH7jmbyU+ergU
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1