darkcomet | 3d73d9137f3b6ce27858fdad0bc0038abe2ed9920e60deda6b571fcf493ef068 | Triage

Submit
Reports

Overview

overview

Static

static

7

86f193aaf7...18.exe

windows7-x64

86f193aaf7...18.exe

windows10-2004-x64

7

Sharing

General

Target

86f193aaf758861c331ca48e9ebba3b1_JaffaCakes118
Size

1.2MB
Sample

241102-w1w3mavkfk
MD5

86f193aaf758861c331ca48e9ebba3b1
SHA1

bf5bc11347819a2647c49e28f2d52ac17f64081b
SHA256

3d73d9137f3b6ce27858fdad0bc0038abe2ed9920e60deda6b571fcf493ef068
SHA512

9d65f9553bc3919926836917cfca5858f967bf5e036148d0bd069d7fa404b8639a600b624d80a32e0d0172b25e606b75e69082580930478766ad206ba688eea3
SSDEEP

24576:drk1rYb5zdQO0vUL70GvcHRjgOPBoPuQNoCBUodr5eZIyySjEFz27bCHhD/O2YWR:VkqFzkuBIzjFV4YPmtxWBqgIG4

Score

10^/10

darkcomet discovery evasion persistence rat themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

86f193aaf758861c331ca48e9ebba3b1_JaffaCakes118.exe

Resource

win7-20241010-en

darkcomet discovery evasion persistence rat themida trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

86f193aaf758861c331ca48e9ebba3b1_JaffaCakes118.exe

Resource

win10v2004-20241007-en

discovery evasion themida

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Targets

- Target
  
  86f193aaf758861c331ca48e9ebba3b1_JaffaCakes118
- Size
  
  1.2MB
- MD5
  
  86f193aaf758861c331ca48e9ebba3b1
- SHA1
  
  bf5bc11347819a2647c49e28f2d52ac17f64081b
- SHA256
  
  3d73d9137f3b6ce27858fdad0bc0038abe2ed9920e60deda6b571fcf493ef068
- SHA512
  
  9d65f9553bc3919926836917cfca5858f967bf5e036148d0bd069d7fa404b8639a600b624d80a32e0d0172b25e606b75e69082580930478766ad206ba688eea3
- SSDEEP
  
  24576:drk1rYb5zdQO0vUL70GvcHRjgOPBoPuQNoCBUodr5eZIyySjEFz27bCHhD/O2YWR:VkqFzkuBIzjFV4YPmtxWBqgIG4
Score

10^/10

darkcomet discovery evasion persistence rat themida trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoveryevasionpersistenceratthemidatrojan

behavioral2

discoveryevasionthemida

© 2018-2024

Terms | Privacy