General
-
Target
1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118
-
Size
650KB
-
Sample
240702-z1tt2szbld
-
MD5
1d74fad1e7d34e01d3d775528ef60460
-
SHA1
822bc0882d94ff9b2c6396d97dd6ee7c0d0a7356
-
SHA256
0198e4ece40cebc1f98328360ca69e4b5386c2ff444596b268eb9af4ff137c97
-
SHA512
27414da752359560068dc533f53e8c58161f4739194f2bbbc8e2a3e5c9989a3e5dfa2a6c137f8465ade8611d7274da2c20bccfd880622e0484c516c8528b0d1e
-
SSDEEP
12288:bk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+I:Q0QRWoJEfg0oChGdJQbjPbNW5tYeP+GB
Malware Config
Extracted
darkcomet
blowme
90.207.119.46:443
AF48NLA
-
InstallPath
\msdcsc.exe
-
gencode
roqmzCFsJnuf
-
install
true
-
offline_keylogger
true
-
password
blowmeya
-
persistence
true
-
reg_key
update
Targets
-
-
Target
1d74fad1e7d34e01d3d775528ef60460_JaffaCakes118
-
Size
650KB
-
MD5
1d74fad1e7d34e01d3d775528ef60460
-
SHA1
822bc0882d94ff9b2c6396d97dd6ee7c0d0a7356
-
SHA256
0198e4ece40cebc1f98328360ca69e4b5386c2ff444596b268eb9af4ff137c97
-
SHA512
27414da752359560068dc533f53e8c58161f4739194f2bbbc8e2a3e5c9989a3e5dfa2a6c137f8465ade8611d7274da2c20bccfd880622e0484c516c8528b0d1e
-
SSDEEP
12288:bk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+I:Q0QRWoJEfg0oChGdJQbjPbNW5tYeP+GB
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1