darkcomet | 8728e662f0d64c3f93ce0e58d5828ebae0dbd909de1a4f28894f2fee30b72f21 | Triage

Sharing

General

Target

25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118
Size

473KB
Sample

241008-zqy11szbmg
MD5

25551cee9ff2bdf1dac8e1055dd032a9
SHA1

9d70aed23a2433ffe75da99901773e9b8e4c21d8
SHA256

8728e662f0d64c3f93ce0e58d5828ebae0dbd909de1a4f28894f2fee30b72f21
SHA512

137771d652bb8a4b402253f76c8a3721e919904bb79b771af58bd2af9dd7321236e6987a92d7309a3f616c4d5762f179c02be612b32452a6367cb8df4845570c
SSDEEP

12288:YxJUrEfN7kCrIDiTtmW3V6Cjuhiat2h1vDSNqCNQ7/:iJgE17Satm8AKUiLhdDSpe7/

Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

192.168.1.38:1604

Mutex

DC_MUTEX-RJ267FP

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
BU2uq8phh1yH
install
true
offline_keylogger
true
persistence
false
reg_key
skype.exe

Targets

- Target
  
  25551cee9ff2bdf1dac8e1055dd032a9_JaffaCakes118
- Size
  
  473KB
- MD5
  
  25551cee9ff2bdf1dac8e1055dd032a9
- SHA1
  
  9d70aed23a2433ffe75da99901773e9b8e4c21d8
- SHA256
  
  8728e662f0d64c3f93ce0e58d5828ebae0dbd909de1a4f28894f2fee30b72f21
- SHA512
  
  137771d652bb8a4b402253f76c8a3721e919904bb79b771af58bd2af9dd7321236e6987a92d7309a3f616c4d5762f179c02be612b32452a6367cb8df4845570c
- SSDEEP
  
  12288:YxJUrEfN7kCrIDiTtmW3V6Cjuhiat2h1vDSNqCNQ7/:iJgE17Satm8AKUiLhdDSpe7/
Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16discoveryevasionpersistencerattrojan

behavioral2

darkcometguest16discoveryevasionpersistencerattrojan