darkcomet | 123a0679375e02308a5fcdb9e1b33e90ca4692ce1be567787138ec26532f6583 | Triage

Sharing

General

Target

f3074b4b3dca7f69f06de291a68ad034_JaffaCakes118
Size

852KB
Sample

240416-jpk5rscg67
MD5

f3074b4b3dca7f69f06de291a68ad034
SHA1

10c96d67c4fdd062fd15edbb68e15bab3c5db7d1
SHA256

123a0679375e02308a5fcdb9e1b33e90ca4692ce1be567787138ec26532f6583
SHA512

8111e9fd7454f23f7b0bd1c6c006b995f6ae015571062564d5ec06991a949b210513a2190d22747cf74a260181bab69a4a3d899cabf45ac69937cf1e175eb913
SSDEEP

12288:vj9I9J5eZy5Hwb3S/a6eFNG2L4T0DT1K2B92hj/St1MyaCcb45do4JbxH+jxY:xIXOTb39Lxij41MyN84XFHHYxY

Score

10^/10

darkcomet yepsrv evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

yepsrv

C2

yepstuff.no-ip.biz:200

Mutex

DC_MUTEX-7KAGZE8

Attributes

InstallPath
MSDCSC\explorer.exe
gencode
keLlgY8kJxFy
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  f3074b4b3dca7f69f06de291a68ad034_JaffaCakes118
- Size
  
  852KB
- MD5
  
  f3074b4b3dca7f69f06de291a68ad034
- SHA1
  
  10c96d67c4fdd062fd15edbb68e15bab3c5db7d1
- SHA256
  
  123a0679375e02308a5fcdb9e1b33e90ca4692ce1be567787138ec26532f6583
- SHA512
  
  8111e9fd7454f23f7b0bd1c6c006b995f6ae015571062564d5ec06991a949b210513a2190d22747cf74a260181bab69a4a3d899cabf45ac69937cf1e175eb913
- SSDEEP
  
  12288:vj9I9J5eZy5Hwb3S/a6eFNG2L4T0DT1K2B92hj/St1MyaCcb45do4JbxH+jxY:xIXOTb39Lxij41MyN84XFHHYxY
Score

10^/10

darkcomet yepsrv evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometyepsrvevasionpersistencerattrojan

behavioral2

darkcometyepsrvevasionpersistencerattrojan