darkcomet | 2fb57730888928c519502ebd41cf6ea6397ddbf156e2e997046b6103666f9cab | Triage

Sharing

General

Target

JaffaCakes118_60ff825e3ff5052c835683f1fb29c120
Size

747KB
Sample

250101-2a8avsxpdy
MD5

60ff825e3ff5052c835683f1fb29c120
SHA1

a9cfe3bf2cec17f9418796472f7df10c8e185bd9
SHA256

2fb57730888928c519502ebd41cf6ea6397ddbf156e2e997046b6103666f9cab
SHA512

0aa723755a46c73991222a6c30d566f2cbf5b803846741b8c03e638af77c9af62e08a000e6421ba2b48f97d2d66cee02cee6fa762d75b28e140f7ba3f2d18d3c
SSDEEP

12288:AWK7oOJcwYaz1scSsuvKfKdEJuw/p4ot36uddMVL88Dp76c:6Fttz1sZspidZw/6wmV16

Score

10^/10

darkcomet slaves discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

slaves

C2

droplul.no-ip.biz:1604

Mutex

DC_MUTEX-0CW3JAL

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
zV0CJmM1DVd0
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  JaffaCakes118_60ff825e3ff5052c835683f1fb29c120
- Size
  
  747KB
- MD5
  
  60ff825e3ff5052c835683f1fb29c120
- SHA1
  
  a9cfe3bf2cec17f9418796472f7df10c8e185bd9
- SHA256
  
  2fb57730888928c519502ebd41cf6ea6397ddbf156e2e997046b6103666f9cab
- SHA512
  
  0aa723755a46c73991222a6c30d566f2cbf5b803846741b8c03e638af77c9af62e08a000e6421ba2b48f97d2d66cee02cee6fa762d75b28e140f7ba3f2d18d3c
- SSDEEP
  
  12288:AWK7oOJcwYaz1scSsuvKfKdEJuw/p4ot36uddMVL88Dp76c:6Fttz1sZspidZw/6wmV16
Score

10^/10

darkcomet slaves discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometslavesdiscoveryevasionpersistencerattrojan

behavioral2

discoverypersistence