darkcomet | 7ec6eb6f91ee0c13f4b98dd9f3bddde62a22e1244111b3e3c27a51a42130af39 | Triage

Sharing

General

Target

72b3881c944a5b65102974cd718bd13a_JaffaCakes118
Size

362KB
Sample

241024-hbdcbsxcqh
MD5

72b3881c944a5b65102974cd718bd13a
SHA1

80e1defffd848951eeb859d1720fba6809a60d27
SHA256

7ec6eb6f91ee0c13f4b98dd9f3bddde62a22e1244111b3e3c27a51a42130af39
SHA512

962a72f035d5370248989b2ccecda7fc64d3798fc7d55e5ee0a1fbe109db7c613c6fb56edbeec8be1449c253cf3a8017ff83da36c47dc6d29d8777c77f0d4e76
SSDEEP

6144:gFw8wzBhaEUJ45mnk3PB4y6J1MhPrycmXN5BO9UY9FOnZKNBwgqFeOsmVmrvVry1:gFszBhqS5mEB+J1M52bk+n6BwVFeOqVy

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Targets

- Target
  
  72b3881c944a5b65102974cd718bd13a_JaffaCakes118
- Size
  
  362KB
- MD5
  
  72b3881c944a5b65102974cd718bd13a
- SHA1
  
  80e1defffd848951eeb859d1720fba6809a60d27
- SHA256
  
  7ec6eb6f91ee0c13f4b98dd9f3bddde62a22e1244111b3e3c27a51a42130af39
- SHA512
  
  962a72f035d5370248989b2ccecda7fc64d3798fc7d55e5ee0a1fbe109db7c613c6fb56edbeec8be1449c253cf3a8017ff83da36c47dc6d29d8777c77f0d4e76
- SSDEEP
  
  6144:gFw8wzBhaEUJ45mnk3PB4y6J1MhPrycmXN5BO9UY9FOnZKNBwgqFeOsmVmrvVry1:gFszBhqS5mEB+J1M52bk+n6BwVFeOqVy
Score

10^/10

darkcomet discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoveryevasionpersistencerattrojan

behavioral2

darkcometdiscoveryevasionpersistencerattrojan