darkcomet | 03a21fbf9906bd7cf3206f5ff6d6861471843f6f42775a4cc0abe4dbb95b9cb6 | Triage

Sharing

General

Target

74c0183c68dc2bc7ae8c70ab5339df6b_JaffaCakes118
Size

1.0MB
Sample

240726-tjjd4ayapl
MD5

74c0183c68dc2bc7ae8c70ab5339df6b
SHA1

e1a5ed24672ce9a77ab5e7b191400304eb14697c
SHA256

03a21fbf9906bd7cf3206f5ff6d6861471843f6f42775a4cc0abe4dbb95b9cb6
SHA512

f66a2120b26c5d7ff5246c3ed4a5c870ca37518ee22d0d1758d32436763065a030575cf14c1e7b1225337a507c4d0001633a1941da867e2eab995986cda5e4f2
SSDEEP

24576:Kd3sbN+zOwGw+X5isFWql8LUJKMlwytZootBHXDeEesgTEd:WS+xh+X5LWqh/l57DesgTEd

Score

10^/10

darkcomet êìñíèí bootkit discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

ÊÌÑíÈí

C2

127.0.0.1:4433

Mutex

DCMIN_MUTEX-KLYB853

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
VPyB8Ek2BmtJ
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Targets

- Target
  
  74c0183c68dc2bc7ae8c70ab5339df6b_JaffaCakes118
- Size
  
  1.0MB
- MD5
  
  74c0183c68dc2bc7ae8c70ab5339df6b
- SHA1
  
  e1a5ed24672ce9a77ab5e7b191400304eb14697c
- SHA256
  
  03a21fbf9906bd7cf3206f5ff6d6861471843f6f42775a4cc0abe4dbb95b9cb6
- SHA512
  
  f66a2120b26c5d7ff5246c3ed4a5c870ca37518ee22d0d1758d32436763065a030575cf14c1e7b1225337a507c4d0001633a1941da867e2eab995986cda5e4f2
- SSDEEP
  
  24576:Kd3sbN+zOwGw+X5isFWql8LUJKMlwytZootBHXDeEesgTEd:WS+xh+X5LWqh/l57DesgTEd
Score

10^/10

darkcomet êìñíèí bootkit discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometêìñíèíbootkitdiscoveryevasionpersistencerattrojan

behavioral2

discoveryevasion