darkcomet | ec11e83f9e05d5c41f352861864399257a7195adee035e19712ef1cd103a9b58 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

d102f2a68252e2dc3cbd93456636d66a_JaffaCakes118
Size

1.2MB
Sample

240907-eespmstcjk
MD5

d102f2a68252e2dc3cbd93456636d66a
SHA1

ad48ca59b225a866e4af1547585f7011e899c663
SHA256

ec11e83f9e05d5c41f352861864399257a7195adee035e19712ef1cd103a9b58
SHA512

ebeec30428a3debb07308b9fb8ec02b46c8d8ba69836cb711c2dd0aca36a8d3d45f7cb687d6e17a45ea2a3d95d354c6c4a4d41f27970d105866e931e0a2d190a
SSDEEP

24576:kzvelHvoPyoSpGiK6qCV5Pf96eoqWCJvZ59UPxp:Kv0Hvob6qS539/vJvZ59UJp

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Targets

- Target
  
  d102f2a68252e2dc3cbd93456636d66a_JaffaCakes118
- Size
  
  1.2MB
- MD5
  
  d102f2a68252e2dc3cbd93456636d66a
- SHA1
  
  ad48ca59b225a866e4af1547585f7011e899c663
- SHA256
  
  ec11e83f9e05d5c41f352861864399257a7195adee035e19712ef1cd103a9b58
- SHA512
  
  ebeec30428a3debb07308b9fb8ec02b46c8d8ba69836cb711c2dd0aca36a8d3d45f7cb687d6e17a45ea2a3d95d354c6c4a4d41f27970d105866e931e0a2d190a
- SSDEEP
  
  24576:kzvelHvoPyoSpGiK6qCV5Pf96eoqWCJvZ59UPxp:Kv0Hvob6qS539/vJvZ59UJp
Score

10^/10

darkcomet discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoveryevasionpersistencerattrojan

behavioral2

darkcometdiscoveryevasionpersistencerattrojan