darkcomet | 58034edceb6acc19031c2c373880f34d939a77943feceb87a426c3748c7e99c1 | Triage

Submit
Reports

Overview

overview

Static

static

5

4cc206e536...18.exe

windows7-x64

4cc206e536...18.exe

windows10-2004-x64

Sharing

General

Target

4cc206e536eb20827ac8b404fbfadee7_JaffaCakes118
Size

330KB
Sample

241016-pafjmascrj
MD5

4cc206e536eb20827ac8b404fbfadee7
SHA1

901d7be23fc9ec8acd872f1ef8c737948fa8d893
SHA256

58034edceb6acc19031c2c373880f34d939a77943feceb87a426c3748c7e99c1
SHA512

e13495f8dca68c525a99ff633be476b29ec1a40b52aa0df40baa6bda1fd44bed83c3b3d7d9ac28406ed5fac2927233086b1107817321d6cf7d0dfa09656ceb04
SSDEEP

6144:Q4CFfifD2gVKVTQQ249HZ52KTh9XKOCgLJacj5/AZtRse4A7qjM9e:QXgr8VMQDT52WXKq9fj5/AZjB4A2Ye

Score

10^/10

darkcomet discovery persistence rat trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

4cc206e536eb20827ac8b404fbfadee7_JaffaCakes118.exe

Resource

win7-20240708-en

darkcomet discovery persistence rat trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

4cc206e536eb20827ac8b404fbfadee7_JaffaCakes118.exe

Resource

win10v2004-20241007-en

darkcomet discovery persistence rat trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  4cc206e536eb20827ac8b404fbfadee7_JaffaCakes118
- Size
  
  330KB
- MD5
  
  4cc206e536eb20827ac8b404fbfadee7
- SHA1
  
  901d7be23fc9ec8acd872f1ef8c737948fa8d893
- SHA256
  
  58034edceb6acc19031c2c373880f34d939a77943feceb87a426c3748c7e99c1
- SHA512
  
  e13495f8dca68c525a99ff633be476b29ec1a40b52aa0df40baa6bda1fd44bed83c3b3d7d9ac28406ed5fac2927233086b1107817321d6cf7d0dfa09656ceb04
- SSDEEP
  
  6144:Q4CFfifD2gVKVTQQ249HZ52KTh9XKOCgLJacj5/AZtRse4A7qjM9e:QXgr8VMQDT52WXKq9fj5/AZjB4A2Ye
Score

10^/10

darkcomet discovery persistence rat trojan upx
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoverypersistencerattrojanupx

behavioral2

darkcometdiscoverypersistencerattrojanupx

© 2018-2024

Terms | Privacy