darkcomet | 027067f36ed67009d96584f1a8f71dc6ebcba2744fdf537ab9743555f4c4cb61 | Triage

Sharing

General

Target

4f8bf7bb623ac3043637f6e9994beaf0_JaffaCakes118
Size

566KB
Sample

241016-28b1baydjc
MD5

4f8bf7bb623ac3043637f6e9994beaf0
SHA1

ef15db18e9bf71b2338e110bbc91d9e6f2a5e456
SHA256

027067f36ed67009d96584f1a8f71dc6ebcba2744fdf537ab9743555f4c4cb61
SHA512

9c36397dd6242bd627150964de65cba86df8b3e4d616ddf9b0eb1e8a6372d1b683dda7bbe38aa12724f9dc762d45d4d0b8e1e87a50326e4cd887ee63db7ebda2
SSDEEP

12288:ZClL5bFlF4J0usCwvM+HDPtmDdeXpVTtHNbPVIHsWiEPm:2L5je0usCiDPg5e7htwLiAm

Score

10^/10

darkcomet newdarkcomet discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

NewDarkcomet

C2

nfree6838.no-ip.biz:1604

Mutex

DC_MUTEX-FSWVA9S

Attributes

InstallPath
Windows\Microsoft Framework V2.30.6
gencode
NZcQEjgZ8n6a
install
true
offline_keylogger
false
persistence
true
reg_key
Windows Update

Targets

- Target
  
  4f8bf7bb623ac3043637f6e9994beaf0_JaffaCakes118
- Size
  
  566KB
- MD5
  
  4f8bf7bb623ac3043637f6e9994beaf0
- SHA1
  
  ef15db18e9bf71b2338e110bbc91d9e6f2a5e456
- SHA256
  
  027067f36ed67009d96584f1a8f71dc6ebcba2744fdf537ab9743555f4c4cb61
- SHA512
  
  9c36397dd6242bd627150964de65cba86df8b3e4d616ddf9b0eb1e8a6372d1b683dda7bbe38aa12724f9dc762d45d4d0b8e1e87a50326e4cd887ee63db7ebda2
- SSDEEP
  
  12288:ZClL5bFlF4J0usCwvM+HDPtmDdeXpVTtHNbPVIHsWiEPm:2L5je0usCiDPg5e7htwLiAm
Score

10^/10

darkcomet newdarkcomet discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometnewdarkcometdiscoveryevasionpersistencerattrojan

behavioral2

darkcometnewdarkcometdiscoveryevasionpersistencerattrojan