General
-
Target
JaffaCakes118_b05e8c21e30f253d77718709a5935976
-
Size
349KB
-
Sample
250411-3t8amssway
-
MD5
b05e8c21e30f253d77718709a5935976
-
SHA1
583b6d6a47d94030167268af31f303b1accb56d3
-
SHA256
6b44480daa9151ecafd92c15e2aca85af37f441d8ee2010ff4c9b2e4adb0666d
-
SHA512
fbe6b56436a06311feac3043305b43851a256505839b852b68db23409e83cf3db63afec0bee49d9f3bb00d792a5318726b0f0b4e0cd737737b904c67ef67ad58
-
SSDEEP
6144:hcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37ADOgcV9U:hcW7KEZlPzCy37ADn
Malware Config
Extracted
darkcomet
Guest16
elpida.no-ip.org:1604
DC_MUTEX-7EDJZ4Q
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ocbxghCRk7D3
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
JaffaCakes118_b05e8c21e30f253d77718709a5935976
-
Size
349KB
-
MD5
b05e8c21e30f253d77718709a5935976
-
SHA1
583b6d6a47d94030167268af31f303b1accb56d3
-
SHA256
6b44480daa9151ecafd92c15e2aca85af37f441d8ee2010ff4c9b2e4adb0666d
-
SHA512
fbe6b56436a06311feac3043305b43851a256505839b852b68db23409e83cf3db63afec0bee49d9f3bb00d792a5318726b0f0b4e0cd737737b904c67ef67ad58
-
SSDEEP
6144:hcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37ADOgcV9U:hcW7KEZlPzCy37ADn
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1