darkcomet | 9f2c1223bf1847e35f0e9c702518f7219e23e1460422e675da0c06f470481d8e | Triage

Sharing

General

Target

5e08f13a37341ae48c3fde4d5437d24c_JaffaCakes118
Size

2.9MB
Sample

241019-w35sjsshkr
MD5

5e08f13a37341ae48c3fde4d5437d24c
SHA1

84176b7235e0a7dce59535256dd1fa9328e1cafc
SHA256

9f2c1223bf1847e35f0e9c702518f7219e23e1460422e675da0c06f470481d8e
SHA512

551a4ef7dc9cf68d2aff22ba5d18afd123d3f9b3065a7f360fca73a613445b6373f44fd13ac940eb8747333a4a3921dd754efa33992b36113c2a9f3c0c31c8fe
SSDEEP

49152:zgEnoSE5fyZYJxiOEPyZYJxiOEr2eh0NN9ZmR/IO:zgEnoSE5b

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Targets

- Target
  
  5e08f13a37341ae48c3fde4d5437d24c_JaffaCakes118
- Size
  
  2.9MB
- MD5
  
  5e08f13a37341ae48c3fde4d5437d24c
- SHA1
  
  84176b7235e0a7dce59535256dd1fa9328e1cafc
- SHA256
  
  9f2c1223bf1847e35f0e9c702518f7219e23e1460422e675da0c06f470481d8e
- SHA512
  
  551a4ef7dc9cf68d2aff22ba5d18afd123d3f9b3065a7f360fca73a613445b6373f44fd13ac940eb8747333a4a3921dd754efa33992b36113c2a9f3c0c31c8fe
- SSDEEP
  
  49152:zgEnoSE5fyZYJxiOEPyZYJxiOEr2eh0NN9ZmR/IO:zgEnoSE5b
Score

10^/10

darkcomet discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Windows security bypass
  evasion trojan
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoveryevasionpersistencerattrojan

behavioral2

darkcometdiscoverypersistencerattrojan