darkcomet

General

Target

7ef58fae6597873eb9ddc200749efb54_JaffaCakes118
Size

1.3MB
Sample

240801-dnnxdayekl
MD5

7ef58fae6597873eb9ddc200749efb54
SHA1

01b74eb79082d0465ab8654b6a71c8570ac8743a
SHA256

046af6ee479e05559a9830dc541785559e7a006cc1761c1f9f6acd6b9fbef0e9
SHA512

97bcd602af86fdab80368e376712739dc96535026b77b87b6ff5e5f53796c0f39f6ec33954b8655aff64b8ca3bf7faa7e666f8aa5790d8a974c8ca408d0be14f
SSDEEP

24576:4DTCwXMdaEkx9Tod/Z/Va9nVFMG17y+g3LZjQsW2l9r/ArJf4q0/9xAN6:L4E0odR/SnVKaux3LZssW2lF4Ff43s6

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

popeyeth.mooo.com:27010

Mutex

1d4a6f46-b018-458b-86f2-d747c268ef19

Attributes

activate_away_mode
false
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-06-11T15:40:07.342134236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
27010
default_group
cloud
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1d4a6f46-b018-458b-86f2-d747c268ef19
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
popeyeth.mooo.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
5000
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

njrat

Version

0.7d

Botnet

GoogleServerHelper

C2

popeyeth.mooo.com:2222

Mutex

f12a535306e6106cec8bd5b7e630e4c4

Attributes

reg_key
f12a535306e6106cec8bd5b7e630e4c4
splitter
|'|'|

Targets

- Target
  
  7ef58fae6597873eb9ddc200749efb54_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  7ef58fae6597873eb9ddc200749efb54
- SHA1
  
  01b74eb79082d0465ab8654b6a71c8570ac8743a
- SHA256
  
  046af6ee479e05559a9830dc541785559e7a006cc1761c1f9f6acd6b9fbef0e9
- SHA512
  
  97bcd602af86fdab80368e376712739dc96535026b77b87b6ff5e5f53796c0f39f6ec33954b8655aff64b8ca3bf7faa7e666f8aa5790d8a974c8ca408d0be14f
- SSDEEP
  
  24576:4DTCwXMdaEkx9Tod/Z/Va9nVFMG17y+g3LZjQsW2l9r/ArJf4q0/9xAN6:L4E0odR/SnVKaux3LZssW2lF4Ff43s6
Score

10^/10

darkcomet darktrack nanocore njrat googleserverhelper discovery evasion keylogger persistence privilege_escalation rat spyware stealer trojan
- DarkTrack
  DarkTrack is a remote administration tool written in delphi.
  rat stealer darktrack
- DarkTrack payload
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2