darkcomet | ba91d49ac453d3eb14950819a8cd6ee72aa704a24f1e47d0f8e180a3dfc768e9 | Triage

Sharing

General

Target

ed10850ad8d0971da324de2c30729742_JaffaCakes118
Size

2.1MB
Sample

240411-k4bejsgd34
MD5

ed10850ad8d0971da324de2c30729742
SHA1

bb2f3935b780d1200554d9915da9e87d76edffbe
SHA256

ba91d49ac453d3eb14950819a8cd6ee72aa704a24f1e47d0f8e180a3dfc768e9
SHA512

197ce8f3282cfc640e702841d87f088e4a86a1c95f3bdb78f806eb86d1b72684ebfc1f53b98e8708e71c87b92c8f5b5f969bd84194a3260ea7f95980ef54a8dd
SSDEEP

49152:EiobiV082zrjoFFfQnU26RO0QaXIe7P7uCzrlOrtD57loZQu:ZVX2zraE1yIe+CzrlO557pu

Score

10^/10

darkcomet september 2021 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

SeptemBER 2021

C2

bonding79.ddns.net:3316

goodgt79.ddns.net:3316

whatis79.ddns.net:3316

smath79.ddns.net:3316

jacknop79.ddns.net:3316

chrisle79.ddns.net:3316

Mutex

DC_MUTEX-6JQTXC0

Attributes

gencode
cVaduGzs7zFu
install
false
offline_keylogger
true
password
Password20$
persistence
false

Targets

- Target
  
  ed10850ad8d0971da324de2c30729742_JaffaCakes118
- Size
  
  2.1MB
- MD5
  
  ed10850ad8d0971da324de2c30729742
- SHA1
  
  bb2f3935b780d1200554d9915da9e87d76edffbe
- SHA256
  
  ba91d49ac453d3eb14950819a8cd6ee72aa704a24f1e47d0f8e180a3dfc768e9
- SHA512
  
  197ce8f3282cfc640e702841d87f088e4a86a1c95f3bdb78f806eb86d1b72684ebfc1f53b98e8708e71c87b92c8f5b5f969bd84194a3260ea7f95980ef54a8dd
- SSDEEP
  
  49152:EiobiV082zrjoFFfQnU26RO0QaXIe7P7uCzrlOrtD57loZQu:ZVX2zraE1yIe+CzrlO557pu
Score

10^/10

darkcomet september 2021 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Modify Registry

Scripting

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometseptember 2021evasionpersistencerattrojan

behavioral2

darkcometseptember 2021evasionpersistencerattrojan