darkcomet | f1d06b078b4ba01577ac77d51b5b817cf0dc5aaf1f42f9a900315d1321a7c95b | Triage

Sharing

General

Target

JaffaCakes118_620745eb357249f9a22e2fd3ae78e180
Size

754KB
Sample

250102-cngydsxpht
MD5

620745eb357249f9a22e2fd3ae78e180
SHA1

4ef382dbdc997e84abcccb4e84c1ba9f72f1a7f1
SHA256

f1d06b078b4ba01577ac77d51b5b817cf0dc5aaf1f42f9a900315d1321a7c95b
SHA512

48b65ee65dda9a3490b3c8f9ce96c5738113e856b9d680a9b214e74522cad507df6ee03ba0ee3b66476a3ba351f84c3e8c621269f4c118865dd849c7d1801588
SSDEEP

12288:WyJ5A3o8pLWg8+RTEQUHJrtrloElGDBqj/5VCGPGkHdez:vsZf8+RQpJrZldlGDBqj/jCQGkHi

Score

10^/10

darkcomet latentbot hackedjuajua discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

hackedjuajua

C2

lolandtroll.zapto.org:1

Mutex

DC_MUTEX-5S19488

Attributes

InstallPath
MSdDCSC\msdcfsc.exe
gencode
oRQoqohwZ100
install
true
offline_keylogger
true
password
mortinato
persistence
true
reg_key
MicroUpdates

Extracted

Family

latentbot

C2

lolandtroll.zapto.org

Targets

- Target
  
  JaffaCakes118_620745eb357249f9a22e2fd3ae78e180
- Size
  
  754KB
- MD5
  
  620745eb357249f9a22e2fd3ae78e180
- SHA1
  
  4ef382dbdc997e84abcccb4e84c1ba9f72f1a7f1
- SHA256
  
  f1d06b078b4ba01577ac77d51b5b817cf0dc5aaf1f42f9a900315d1321a7c95b
- SHA512
  
  48b65ee65dda9a3490b3c8f9ce96c5738113e856b9d680a9b214e74522cad507df6ee03ba0ee3b66476a3ba351f84c3e8c621269f4c118865dd849c7d1801588
- SSDEEP
  
  12288:WyJ5A3o8pLWg8+RTEQUHJrtrloElGDBqj/5VCGPGkHdez:vsZf8+RQpJrZldlGDBqj/jCQGkHi
Score

10^/10

darkcomet latentbot hackedjuajua discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- LatentBot
  Modular trojan written in Delphi which has been in-the-wild since 2013.
  trojan latentbot
- Latentbot family
  latentbot
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometlatentbothackedjuajuadiscoverypersistencerattrojan

behavioral2

darkcometlatentbothackedjuajuadiscoverypersistencerattrojan