darkcomet | 039fb1c8675255b8edefc207b6362e0da58b6d9ddd767fea06a705ce54326fb8 | Triage

Sharing

General

Target

ffc2e4b24496363b727f6e4dbca30824_JaffaCakes118
Size

1.3MB
Sample

240421-vnyj9aga8z
MD5

ffc2e4b24496363b727f6e4dbca30824
SHA1

596e01d5c84cd459689c4bf69e3f83f4575be640
SHA256

039fb1c8675255b8edefc207b6362e0da58b6d9ddd767fea06a705ce54326fb8
SHA512

75a8da478550e1922621d3bbded40dd9baeb6e292cd493c8a5e116344565f20305c67969fa07f390ab54d113fc0471cdf37888dd2015cea881e7e4da10549493
SSDEEP

24576:xv3eNL+gpwfoYqFzwRWGqx8BsptOwCRS03kWaZYjEeUK/cRgOnmq9g6mzk8Axq:J3e5+gpwIFzwzqxmsvOPS0UWuucOU7m1

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

dark123comet00.no-ip.biz:1604

Mutex

DC_MUTEX-H9W4RQ4

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
HyRqKCh4ATSA
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Targets

- Target
  
  ffc2e4b24496363b727f6e4dbca30824_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  ffc2e4b24496363b727f6e4dbca30824
- SHA1
  
  596e01d5c84cd459689c4bf69e3f83f4575be640
- SHA256
  
  039fb1c8675255b8edefc207b6362e0da58b6d9ddd767fea06a705ce54326fb8
- SHA512
  
  75a8da478550e1922621d3bbded40dd9baeb6e292cd493c8a5e116344565f20305c67969fa07f390ab54d113fc0471cdf37888dd2015cea881e7e4da10549493
- SSDEEP
  
  24576:xv3eNL+gpwfoYqFzwRWGqx8BsptOwCRS03kWaZYjEeUK/cRgOnmq9g6mzk8Axq:J3e5+gpwIFzwzqxmsvOPS0UWuucOU7m1
Score

10^/10

darkcomet guest16 evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16evasionpersistencerattrojan

behavioral2