darkcomet | d9dd37d60ebed8ec37f180ff4c026f04f76f84280aaad865da886b21544019f5 | Triage

Sharing

General

Target

23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118
Size

731KB
Sample

241008-xcmdysshrk
MD5

23a2f651f393bfcb0232d33c2b2f87a4
SHA1

e3787ca1dceb0910a26525e6828f16112d7f58fa
SHA256

d9dd37d60ebed8ec37f180ff4c026f04f76f84280aaad865da886b21544019f5
SHA512

8c8f25783573da53c61c692159b7645855b623fdba0f82d00c487d6e2f893b4b4ef940661168a452459d10e5bf8889dae552ec069d5b3ce23543466b841972d9
SSDEEP

12288:Ro6QZKN8RMELcXfMOBw+NF+9cIdTAN/9x/rsIMNoUMCOvCCSFFzBm//AAyX71aIt:WbjRmXUOod6V+IMNbOvvSbB4/cZ

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Targets

- Target
  
  23a2f651f393bfcb0232d33c2b2f87a4_JaffaCakes118
- Size
  
  731KB
- MD5
  
  23a2f651f393bfcb0232d33c2b2f87a4
- SHA1
  
  e3787ca1dceb0910a26525e6828f16112d7f58fa
- SHA256
  
  d9dd37d60ebed8ec37f180ff4c026f04f76f84280aaad865da886b21544019f5
- SHA512
  
  8c8f25783573da53c61c692159b7645855b623fdba0f82d00c487d6e2f893b4b4ef940661168a452459d10e5bf8889dae552ec069d5b3ce23543466b841972d9
- SSDEEP
  
  12288:Ro6QZKN8RMELcXfMOBw+NF+9cIdTAN/9x/rsIMNoUMCOvCCSFFzBm//AAyX71aIt:WbjRmXUOod6V+IMNbOvvSbB4/cZ
Score

10^/10

darkcomet discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoveryevasionpersistencerattrojan

behavioral2

darkcometdiscoveryevasionpersistencerattrojan