darkcomet | af8dfbb8e5fe366aa99d1f63f2646e340624bf60dbf2ca49fafdd9f7a7ef6758 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

ef473de20ad30b4b1b6a62fa098d950b_JaffaCakes118
Size

502KB
Sample

241214-r4lnvavpfy
MD5

ef473de20ad30b4b1b6a62fa098d950b
SHA1

d8c6b974fcaf6a262ef487afb7cf68359310f31b
SHA256

af8dfbb8e5fe366aa99d1f63f2646e340624bf60dbf2ca49fafdd9f7a7ef6758
SHA512

0e76a8a01a085c43da83da87b13c40ccb7f19b0b3f8871ad1a68c628d4ef84f054f8bd76b9aba6ac3d2d1480791ac6d94843b3adf56f331aafb6ba906ca1a5e3
SSDEEP

12288:PCMraPSx9BQ26xD6CPqbohjayHxtgFVd2BHqFa:6MOPSx7Qx5vPJZRtgFVKZ

Score

10^/10

darkcomet school discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

school

C2

192.168.1.49:1604

Mutex

DC_MUTEX-7Z4VQFQ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Szzv92MS64pF
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  ef473de20ad30b4b1b6a62fa098d950b_JaffaCakes118
- Size
  
  502KB
- MD5
  
  ef473de20ad30b4b1b6a62fa098d950b
- SHA1
  
  d8c6b974fcaf6a262ef487afb7cf68359310f31b
- SHA256
  
  af8dfbb8e5fe366aa99d1f63f2646e340624bf60dbf2ca49fafdd9f7a7ef6758
- SHA512
  
  0e76a8a01a085c43da83da87b13c40ccb7f19b0b3f8871ad1a68c628d4ef84f054f8bd76b9aba6ac3d2d1480791ac6d94843b3adf56f331aafb6ba906ca1a5e3
- SSDEEP
  
  12288:PCMraPSx9BQ26xD6CPqbohjayHxtgFVd2BHqFa:6MOPSx7Qx5vPJZRtgFVKZ
Score

10^/10

darkcomet school discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometschooldiscoveryevasionpersistencerattrojan

behavioral2

darkcometschooldiscoveryevasionpersistencerattrojan