darkcomet | 4fdecee78958b17a98fee1b0afa23d35bdf11b38bd543c8b66428bb149dd38c2 | Triage

Sharing

General

Target

f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118
Size

1.0MB
Sample

240416-c17pkshb9s
MD5

f27bcaa1644a3d59b1dbfb38c5aa0d6c
SHA1

d19334e7313a329b264b1236c579136e7e4ea1b0
SHA256

4fdecee78958b17a98fee1b0afa23d35bdf11b38bd543c8b66428bb149dd38c2
SHA512

47096764fcb520594421fe10382739769c0b363fdb3922af52ab18fc6d77db5226bdf8358ff28c4a53f0ed4f87626c8593afa35fabafa083cbdb84a8dbaeccab
SSDEEP

12288:zUZsL8GPNmld8eiGb8f+F54+e6kT6D6BTqU8PfiVp+Xc9gw9z3UKhrhOniBkbdnL:gK3KF+wkP8UYs9NzkTmrRbaS0Vrdvr

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

ultrafucker.no-ip.org:1604

Mutex

DC_MUTEX-XKL4MDM

Attributes

InstallPath
MSDCSC\svchost.exe
gencode
wBVkapugtdJz
install
true
offline_keylogger
true
persistence
true
reg_key
svchost

Targets

- Target
  
  f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118
- Size
  
  1.0MB
- MD5
  
  f27bcaa1644a3d59b1dbfb38c5aa0d6c
- SHA1
  
  d19334e7313a329b264b1236c579136e7e4ea1b0
- SHA256
  
  4fdecee78958b17a98fee1b0afa23d35bdf11b38bd543c8b66428bb149dd38c2
- SHA512
  
  47096764fcb520594421fe10382739769c0b363fdb3922af52ab18fc6d77db5226bdf8358ff28c4a53f0ed4f87626c8593afa35fabafa083cbdb84a8dbaeccab
- SSDEEP
  
  12288:zUZsL8GPNmld8eiGb8f+F54+e6kT6D6BTqU8PfiVp+Xc9gw9z3UKhrhOniBkbdnL:gK3KF+wkP8UYs9NzkTmrRbaS0Vrdvr
Score

10^/10

darkcomet guest16 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16evasionpersistencerattrojan

behavioral2

darkcometguest16evasionpersistencerattrojan