darkcomet | b950c043a68838be5063023a56acbec649f7aa899ce9e0388ee76e5f46e83dc2 | Triage

Sharing

General

Target

be1f6ed7e476a99aeac91c347d129094_JaffaCakes118
Size

507KB
Sample

241203-tcsdessjdz
MD5

be1f6ed7e476a99aeac91c347d129094
SHA1

c94b901b7118c2ba2d47b8aaef666b31bb53e623
SHA256

b950c043a68838be5063023a56acbec649f7aa899ce9e0388ee76e5f46e83dc2
SHA512

d6be0ca5460f679203c7d1055862775d3420abe1b77fdcb3a42f910d55bbf06898cd0ce6f2bf00dbd47225b64fd726e1fafd23cf3a908812de757e86feca70e1
SSDEEP

12288:7Ir1jBmKwK1f5sGAK3BFLrhKCB6uIxsj94/9pw0n1caffHf:7a1jBmKBOGpFLLV3a/Isb/

Score

10^/10

darkcomet shpackz discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Shpackz

C2

shpackz.zapto.org:5555

Mutex

DC_MUTEX-PABR8UY

Attributes

InstallPath
Windowslogans.exe
gencode
nEpsNDwg4Aet
install
true
offline_keylogger
true
persistence
false
reg_key
Windowslogans.exe

Targets

- Target
  
  be1f6ed7e476a99aeac91c347d129094_JaffaCakes118
- Size
  
  507KB
- MD5
  
  be1f6ed7e476a99aeac91c347d129094
- SHA1
  
  c94b901b7118c2ba2d47b8aaef666b31bb53e623
- SHA256
  
  b950c043a68838be5063023a56acbec649f7aa899ce9e0388ee76e5f46e83dc2
- SHA512
  
  d6be0ca5460f679203c7d1055862775d3420abe1b77fdcb3a42f910d55bbf06898cd0ce6f2bf00dbd47225b64fd726e1fafd23cf3a908812de757e86feca70e1
- SSDEEP
  
  12288:7Ir1jBmKwK1f5sGAK3BFLrhKCB6uIxsj94/9pw0n1caffHf:7a1jBmKBOGpFLLV3a/Isb/
Score

10^/10

darkcomet shpackz discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometshpackzdiscoveryevasionpersistencerattrojan

behavioral2

darkcometshpackzdiscoveryevasionpersistencerattrojan