darkcomet | 6ed84e0197a5bf4e834fa98440f9f8607bee10760f38f2eafc2a9043ca9f8a9e | Triage

Sharing

Copy URL Twitter E-mail

General

Target

3c3b5e6cb2cac91e3772b39720ce46ae_JaffaCakes118
Size

607KB
Sample

241012-1t2rraxfpq
MD5

3c3b5e6cb2cac91e3772b39720ce46ae
SHA1

76023688deb83652f0244fe1532d2d3ff161ef62
SHA256

6ed84e0197a5bf4e834fa98440f9f8607bee10760f38f2eafc2a9043ca9f8a9e
SHA512

79fb026295de31f5152539d24a632e67b8e756342c707f6b2a5c24d92bc23a138d93a70a7f7dfcf3eace8ff7028cb0b14b0a20bdbad21f97f684af2f1dd10d2d
SSDEEP

12288:YZeVQkTrvj4XR6TppPJA8wVmeR5Z/kW3pC/w553Z6h4FPgq69hEsjfhNcMvb:YwQkTf4BuYJRHkqpC/A5Y8PgqofrIqb

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Targets

- Target
  
  3c3b5e6cb2cac91e3772b39720ce46ae_JaffaCakes118
- Size
  
  607KB
- MD5
  
  3c3b5e6cb2cac91e3772b39720ce46ae
- SHA1
  
  76023688deb83652f0244fe1532d2d3ff161ef62
- SHA256
  
  6ed84e0197a5bf4e834fa98440f9f8607bee10760f38f2eafc2a9043ca9f8a9e
- SHA512
  
  79fb026295de31f5152539d24a632e67b8e756342c707f6b2a5c24d92bc23a138d93a70a7f7dfcf3eace8ff7028cb0b14b0a20bdbad21f97f684af2f1dd10d2d
- SSDEEP
  
  12288:YZeVQkTrvj4XR6TppPJA8wVmeR5Z/kW3pC/w553Z6h4FPgq69hEsjfhNcMvb:YwQkTf4BuYJRHkqpC/A5Y8PgqofrIqb
Score

10^/10

darkcomet discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Disables Task Manager via registry modification
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoveryevasionpersistencerattrojan

behavioral2

darkcometdiscoveryevasionpersistencerattrojan