General
-
Target
JaffaCakes118_92bd43f58c78a41f0b27a018bfb7f367
-
Size
271KB
-
Sample
250329-xfl8csvvcx
-
MD5
92bd43f58c78a41f0b27a018bfb7f367
-
SHA1
8cac44f1a7f8b507baecf228a97538758b464ecf
-
SHA256
90c720c9410e1575ef1dabdf2e1640b55f123339d372589de814eb06096b47ec
-
SHA512
1142d9662ca560bc8011ddbd22f11fc2724c1e33e617a6fc74cbafc5e354180762c15426f6abbe668a9b5a40bf08c1087995bf3f6f279415e85885419458f3b3
-
SSDEEP
6144:oz+ZIja7JiVzDfdUITRilQ37imhVltGNPl4/fRq4vTBxvVjk5CKOR:oz+4KMVzDfrTRYQ3+WltCiHE4vTB3cwR
Malware Config
Extracted
darkcomet
Flyff
crashmob.no-ip.biz:1090
DC_MUTEX-W1S6CAL
-
InstallPath
C:\Dokumente und Einstellungen\All Users\Startmen�\Programme\Autostart
-
gencode
Fd�kkey$KJxb
-
install
true
-
offline_keylogger
false
-
password
1a6c7c5de758a2e5933e962b1a5538a1bf11ba42d88e96b9d873d4eba9
-
persistence
false
-
reg_key
logon
Targets
-
-
Target
JaffaCakes118_92bd43f58c78a41f0b27a018bfb7f367
-
Size
271KB
-
MD5
92bd43f58c78a41f0b27a018bfb7f367
-
SHA1
8cac44f1a7f8b507baecf228a97538758b464ecf
-
SHA256
90c720c9410e1575ef1dabdf2e1640b55f123339d372589de814eb06096b47ec
-
SHA512
1142d9662ca560bc8011ddbd22f11fc2724c1e33e617a6fc74cbafc5e354180762c15426f6abbe668a9b5a40bf08c1087995bf3f6f279415e85885419458f3b3
-
SSDEEP
6144:oz+ZIja7JiVzDfdUITRilQ37imhVltGNPl4/fRq4vTBxvVjk5CKOR:oz+4KMVzDfrTRYQ3+WltCiHE4vTB3cwR
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Windows security bypass
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables RegEdit via registry modification
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Windows security modification
-
Adds Run key to start application
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
8