darkcomet | bda554719d5b74cbf2cb72d941fba94e03dbdf3dbde789152b76bf83483565df | Triage

Sharing

General

Target

7fe4d1ff773a5b614a5ed5ce0e119988_JaffaCakes118
Size

757KB
Sample

241030-tp24dswkdt
MD5

7fe4d1ff773a5b614a5ed5ce0e119988
SHA1

0bc04b4bdda7b4edfc3344780a43c8542ef4d438
SHA256

bda554719d5b74cbf2cb72d941fba94e03dbdf3dbde789152b76bf83483565df
SHA512

aed2470edaa03eed6b43c18e43bcb5e6d1faec1eed40090882155c72b428c3da7e096317a1215771d2205cc6900fb6e594ac6c6053f7da346f926057f02c2e15
SSDEEP

12288:z9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h9svv6:9Z1xuVVjfFoynPaVBUR8f+kN10EBMvv6

Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

cruzbiz.mooo.com:1604

Mutex

DC_MUTEX-U1P570D

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
APRSFUVaZcpB
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  7fe4d1ff773a5b614a5ed5ce0e119988_JaffaCakes118
- Size
  
  757KB
- MD5
  
  7fe4d1ff773a5b614a5ed5ce0e119988
- SHA1
  
  0bc04b4bdda7b4edfc3344780a43c8542ef4d438
- SHA256
  
  bda554719d5b74cbf2cb72d941fba94e03dbdf3dbde789152b76bf83483565df
- SHA512
  
  aed2470edaa03eed6b43c18e43bcb5e6d1faec1eed40090882155c72b428c3da7e096317a1215771d2205cc6900fb6e594ac6c6053f7da346f926057f02c2e15
- SSDEEP
  
  12288:z9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h9svv6:9Z1xuVVjfFoynPaVBUR8f+kN10EBMvv6
Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16discoveryevasionpersistencerattrojan

behavioral2

darkcometguest16discoveryevasionpersistencerattrojan