darkcomet | 1fc634dc8146f64b2efbfd70cb5398277d65c8ddd65f121680c0341336cfeb88 | Triage

Sharing

General

Target

eeed818f660f7e0065f7552dadf8e267_JaffaCakes118
Size

649KB
Sample

240921-c8jmqa1gpn
MD5

eeed818f660f7e0065f7552dadf8e267
SHA1

703b37ad6671bdbf3398ba94e46c6e7c8970f464
SHA256

1fc634dc8146f64b2efbfd70cb5398277d65c8ddd65f121680c0341336cfeb88
SHA512

43ab5091f36db824a0d49c9c0eae2407af77a3c811bdae10430aa50e337287e78465315afe797f1b67da3b4691a80cb33b73f6d68a17924d0ee305fa59c79e7d
SSDEEP

12288:bk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+F:Q0QRWoJEfg0oChGdJQbjPbNW5tYeP+Gs

Score

10^/10

darkcomet server discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Server

C2

internetlogger.no-ip.info:8080

Mutex

DCMIN_MUTEX-4G9M569

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
MsmmgsYgTMoS
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Targets

- Target
  
  eeed818f660f7e0065f7552dadf8e267_JaffaCakes118
- Size
  
  649KB
- MD5
  
  eeed818f660f7e0065f7552dadf8e267
- SHA1
  
  703b37ad6671bdbf3398ba94e46c6e7c8970f464
- SHA256
  
  1fc634dc8146f64b2efbfd70cb5398277d65c8ddd65f121680c0341336cfeb88
- SHA512
  
  43ab5091f36db824a0d49c9c0eae2407af77a3c811bdae10430aa50e337287e78465315afe797f1b67da3b4691a80cb33b73f6d68a17924d0ee305fa59c79e7d
- SSDEEP
  
  12288:bk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+F:Q0QRWoJEfg0oChGdJQbjPbNW5tYeP+Gs
Score

10^/10

darkcomet server discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

serverdarkcomet

behavioral1

darkcometserverdiscoverypersistencerattrojan

behavioral2

darkcometserverdiscoverypersistencerattrojan