General
-
Target
05a15b105aa171e188ce62bca5a710d4_JaffaCakes118
-
Size
915KB
-
Sample
240623-jw6p2syekl
-
MD5
05a15b105aa171e188ce62bca5a710d4
-
SHA1
f5aaf074d400955d268adf55b1c5046c0ce04353
-
SHA256
d4813b069564b17e63211d76ebb3e005e39d98d64de5c62d5ec77cfc370ee557
-
SHA512
01cb813bee98f9380c710a72ec444d23e7e0ef1d9548aa774a69223bba931c40de1fad8244eca7f50a34474e29554a686f3f2fb306a59079ce113e722da79742
-
SSDEEP
24576:KcnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfpOY01z:KGELbVMTrOq4AYE
Malware Config
Extracted
darkcomet
Guest16
w-a.no-ip.biz:1604
DC_MUTEX-0WHJZ5G
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
RxN8mVVXe1se
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
05a15b105aa171e188ce62bca5a710d4_JaffaCakes118
-
Size
915KB
-
MD5
05a15b105aa171e188ce62bca5a710d4
-
SHA1
f5aaf074d400955d268adf55b1c5046c0ce04353
-
SHA256
d4813b069564b17e63211d76ebb3e005e39d98d64de5c62d5ec77cfc370ee557
-
SHA512
01cb813bee98f9380c710a72ec444d23e7e0ef1d9548aa774a69223bba931c40de1fad8244eca7f50a34474e29554a686f3f2fb306a59079ce113e722da79742
-
SSDEEP
24576:KcnAw2WWeFcfbP9VPSPMTSPL/rWvzq4JJfpOY01z:KGELbVMTrOq4AYE
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1