darkcomet | 2d54f8acc24d92b01e76b7e588795fcf4c6767d91af149230b2ff0adedc5593b | Triage

Sharing

General

Target

e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118
Size

1.3MB
Sample

240917-g89w5aygqr
MD5

e63ac5e07f37c1b181aa02d04743c49d
SHA1

45025e5457cf4883acaf32db083a72cbe91532e0
SHA256

2d54f8acc24d92b01e76b7e588795fcf4c6767d91af149230b2ff0adedc5593b
SHA512

468c9f9f93dd06c457ab135cd7f190c3c0f34030e61add8eb74e176deec68ce07f1dc4884fa94b46ae0520ce3a73f9ca49affc3e5b404d055adaa7355f90971a
SSDEEP

12288:/1jNhRmGWxuIOlYddlH6fQni2CVNQdOFyR78RdIHGD84O+XXdNKUL9LJwDu0cwS7:oOWXa4tr8zIHGD/LoJLb70g/F8i4h

Score

10^/10

darkcomet latentbot discovery evasion persistence rat trojan

Malware Config

Extracted

Family

latentbot

C2

pleasework1.zapto.org

Targets

- Target
  
  e63ac5e07f37c1b181aa02d04743c49d_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  e63ac5e07f37c1b181aa02d04743c49d
- SHA1
  
  45025e5457cf4883acaf32db083a72cbe91532e0
- SHA256
  
  2d54f8acc24d92b01e76b7e588795fcf4c6767d91af149230b2ff0adedc5593b
- SHA512
  
  468c9f9f93dd06c457ab135cd7f190c3c0f34030e61add8eb74e176deec68ce07f1dc4884fa94b46ae0520ce3a73f9ca49affc3e5b404d055adaa7355f90971a
- SSDEEP
  
  12288:/1jNhRmGWxuIOlYddlH6fQni2CVNQdOFyR78RdIHGD84O+XXdNKUL9LJwDu0cwS7:oOWXa4tr8zIHGD/LoJLb70g/F8i4h
Score

10^/10

darkcomet latentbot discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometlatentbotdiscoveryevasionpersistencerattrojan

behavioral2

darkcometlatentbotdiscoveryevasionpersistencerattrojan