General
-
Target
JaffaCakes118_c1adf0ba899c7d16676d87b6de8f77aa
-
Size
751KB
-
Sample
250419-hd2spsxzhs
-
MD5
c1adf0ba899c7d16676d87b6de8f77aa
-
SHA1
864065137b6f772d33cf6f35c4224bca73944697
-
SHA256
1fcca160810d613b3c95e10ae327b23476db7925b00d8befc129912ccd4a3b23
-
SHA512
4315e35e3df6851877c75261106e5230b7b3289c3d2be61b327b7d2388771f27333a3a9b2d0de48cdabd1024f705711fd3f17ae1b0583df4547564d878410de9
-
SSDEEP
12288:2eSdWyot/0lsBvyMHEFXKDlwgQVy8/0bpuD41AgB1UMcbBV6PCluBKARnmnxCd/7:/Vv/0l0dHENNVynbgDKB19ctWC0vRh1r
Malware Config
Extracted
darkcomet
Guest16
mydarkrat.no-ip.org:1604
DC_MUTEX-0BSJTXF
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
S9t3Am2D#$wZ
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
JaffaCakes118_c1adf0ba899c7d16676d87b6de8f77aa
-
Size
751KB
-
MD5
c1adf0ba899c7d16676d87b6de8f77aa
-
SHA1
864065137b6f772d33cf6f35c4224bca73944697
-
SHA256
1fcca160810d613b3c95e10ae327b23476db7925b00d8befc129912ccd4a3b23
-
SHA512
4315e35e3df6851877c75261106e5230b7b3289c3d2be61b327b7d2388771f27333a3a9b2d0de48cdabd1024f705711fd3f17ae1b0583df4547564d878410de9
-
SSDEEP
12288:2eSdWyot/0lsBvyMHEFXKDlwgQVy8/0bpuD41AgB1UMcbBV6PCluBKARnmnxCd/7:/Vv/0l0dHENNVynbgDKB19ctWC0vRh1r
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1