darkcomet | 9297c4ff4b04787c2561f6c32e09c5aa98b6930c8c2cc9bc7332ac4aa3950b28 | Triage

Sharing

General

Target

4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118
Size

778KB
Sample

241016-n589rayakc
MD5

4cbb202d7c3ab05996c4adf4b5699d94
SHA1

c3e7e9a20e7d2c5cacd2c70dd98f36e85e4fb7be
SHA256

9297c4ff4b04787c2561f6c32e09c5aa98b6930c8c2cc9bc7332ac4aa3950b28
SHA512

3dd690d570f0d05c5f33c295bcf7d35847402d0304299bba043d2614f8e94caeb346fc55ed46da6444048997528b7191bffae6b6c5ea19b1d5038e3c7b11cd58
SSDEEP

12288:MshgmzsbGEI8EAGZ/fzpPAxhbpdhfwqzEwoeC1u+2YyrJ49tUDLHa1WnfZZ1ooUf:qm8idAxNN1DoDkXr+0aYZ7nA44oS53

Score

10^/10

darkcomet victim discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victim

C2

craigkc.no-ip.biz:1604

Mutex

DC_MUTEX-GCQ0EQH

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
tjNQY0ZuLDn8
install
true
offline_keylogger
true
persistence
true
reg_key
rundll32

Targets

- Target
  
  4cbb202d7c3ab05996c4adf4b5699d94_JaffaCakes118
- Size
  
  778KB
- MD5
  
  4cbb202d7c3ab05996c4adf4b5699d94
- SHA1
  
  c3e7e9a20e7d2c5cacd2c70dd98f36e85e4fb7be
- SHA256
  
  9297c4ff4b04787c2561f6c32e09c5aa98b6930c8c2cc9bc7332ac4aa3950b28
- SHA512
  
  3dd690d570f0d05c5f33c295bcf7d35847402d0304299bba043d2614f8e94caeb346fc55ed46da6444048997528b7191bffae6b6c5ea19b1d5038e3c7b11cd58
- SSDEEP
  
  12288:MshgmzsbGEI8EAGZ/fzpPAxhbpdhfwqzEwoeC1u+2YyrJ49tUDLHa1WnfZZ1ooUf:qm8idAxNN1DoDkXr+0aYZ7nA44oS53
Score

10^/10

darkcomet victim discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometvictimdiscoveryevasionpersistencerattrojan

behavioral2