darkcomet | 8ace767a080fa7f21b454fc4652c7db4a629b15b9d53a66e570ae0e4ea5daa43 | Triage

Sharing

General

Target

9b094a5fe7d25e1c1510fd334e69417a_JaffaCakes118
Size

4.9MB
Sample

241125-mzxhbssrg1
MD5

9b094a5fe7d25e1c1510fd334e69417a
SHA1

1a7e7435cbcc798fce50c0f66b9b507fde5ba15a
SHA256

8ace767a080fa7f21b454fc4652c7db4a629b15b9d53a66e570ae0e4ea5daa43
SHA512

ad5175c4e9dfef8da35f3477fd782b6beee77c770cf7795f191124304d8bbeaefb416a5a55c1daecd3f2bd1aaf9f04651ce63f4b2106afdf19659c6add6e1432
SSDEEP

24576:J/F7Ju6OqDIUjjPROsBl6tYYJYMgnC2uNkMdtnUUDWVvP7nXDsx6kzWS1DlOpFoY:zNPDIUjrvwPgr8rDDO7n26SWwOpiUL7

Score

10^/10

darkcomet 9/21/13 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

9/21/13

C2

davidgarcia.no-ip.biz:1604

Mutex

DC_MUTEX-WZKKJZQ

Attributes

InstallPath
MSDCSC\scvhost.exe
gencode
PBqzA7TLE5pH
install
true
offline_keylogger
true
persistence
true
reg_key
scvhost update

Targets

- Target
  
  9b094a5fe7d25e1c1510fd334e69417a_JaffaCakes118
- Size
  
  4.9MB
- MD5
  
  9b094a5fe7d25e1c1510fd334e69417a
- SHA1
  
  1a7e7435cbcc798fce50c0f66b9b507fde5ba15a
- SHA256
  
  8ace767a080fa7f21b454fc4652c7db4a629b15b9d53a66e570ae0e4ea5daa43
- SHA512
  
  ad5175c4e9dfef8da35f3477fd782b6beee77c770cf7795f191124304d8bbeaefb416a5a55c1daecd3f2bd1aaf9f04651ce63f4b2106afdf19659c6add6e1432
- SSDEEP
  
  24576:J/F7Ju6OqDIUjjPROsBl6tYYJYMgnC2uNkMdtnUUDWVvP7nXDsx6kzWS1DlOpFoY:zNPDIUjrvwPgr8rDDO7n26SWwOpiUL7
Score

10^/10

darkcomet 9/21/13 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomet9/21/13discoverypersistencerattrojan

behavioral2

darkcomet9/21/13discoverypersistencerattrojan