darkcomet | 8930c1b5c15e8c35e0f14f968f618cd957e827a034659e921fbdf89d7a16ec5b | Triage

Sharing

General

Target

9445a116feb5ab7c93898103f87e3c0c_JaffaCakes118
Size

1.0MB
Sample

241124-m8qfdasqcl
MD5

9445a116feb5ab7c93898103f87e3c0c
SHA1

108e70f0d6ba43c9364f152daff02c308b5fbaf8
SHA256

8930c1b5c15e8c35e0f14f968f618cd957e827a034659e921fbdf89d7a16ec5b
SHA512

9cae42b41cc8cfa5911cb2c440ea9ff253decae2d4f7149ed582872ff36ef15a23fd0d5a2349bd8d5ee1a2ccbff8dc5c5f6a0cf89a3a2d1fb69832c3be2964c7
SSDEEP

24576:rhnvOTggIRfmQX3zRYC6FVZPv+FWe4Ys/E:5jYlDZ3+UT/E

Score

10^/10

darkcomet test discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

test

C2

dgspy.no-ip.org:200

Mutex

DC_MUTEX-VVXYM1W

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
CcGcGg63997j
install
true
offline_keylogger
true
persistence
true
reg_key
test

Targets

- Target
  
  9445a116feb5ab7c93898103f87e3c0c_JaffaCakes118
- Size
  
  1.0MB
- MD5
  
  9445a116feb5ab7c93898103f87e3c0c
- SHA1
  
  108e70f0d6ba43c9364f152daff02c308b5fbaf8
- SHA256
  
  8930c1b5c15e8c35e0f14f968f618cd957e827a034659e921fbdf89d7a16ec5b
- SHA512
  
  9cae42b41cc8cfa5911cb2c440ea9ff253decae2d4f7149ed582872ff36ef15a23fd0d5a2349bd8d5ee1a2ccbff8dc5c5f6a0cf89a3a2d1fb69832c3be2964c7
- SSDEEP
  
  24576:rhnvOTggIRfmQX3zRYC6FVZPv+FWe4Ys/E:5jYlDZ3+UT/E
Score

10^/10

darkcomet test discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomettestdiscoveryevasionpersistencerattrojan

behavioral2

darkcomettestdiscoveryevasionpersistencerattrojan