darkcomet | ef90da3561d7571e14882aa13fbe3f4e35f0883f5570fbb0f7b6e7e62e94ab72 | Triage

Sharing

General

Target

JaffaCakes118_632f28fdf1de3a1e531b830e5610c12f
Size

978KB
Sample

250102-g3682sxnev
MD5

632f28fdf1de3a1e531b830e5610c12f
SHA1

05e76ccae3e599787869494007da82b398e6e7e4
SHA256

ef90da3561d7571e14882aa13fbe3f4e35f0883f5570fbb0f7b6e7e62e94ab72
SHA512

f5bdece4c8a2c06a6d5377a7a46f1574a51f69c96dfd636bf650673af1af21836526ed6fc3b615e28eff64622af20f86e7aded31a9d1242a411903e66948cb18
SSDEEP

12288:Fw17csJbGOxU1bidOWH0VFzFpDYcvttrBt/SFZyXBR1ls/iMdDFcqm/vZwEVn:E7cm+1bidZepDYclVUoX1iaMdRepZ

Score

10^/10

darkcomet darkratz discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

DarkRatZ

C2

serverofrats.no-ip.biz:200

Mutex

DC_MUTEX-ECB76MB

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
n9NGEAUG1eMJ
install
true
offline_keylogger
true
persistence
true
reg_key
rundll32

Targets

- Target
  
  JaffaCakes118_632f28fdf1de3a1e531b830e5610c12f
- Size
  
  978KB
- MD5
  
  632f28fdf1de3a1e531b830e5610c12f
- SHA1
  
  05e76ccae3e599787869494007da82b398e6e7e4
- SHA256
  
  ef90da3561d7571e14882aa13fbe3f4e35f0883f5570fbb0f7b6e7e62e94ab72
- SHA512
  
  f5bdece4c8a2c06a6d5377a7a46f1574a51f69c96dfd636bf650673af1af21836526ed6fc3b615e28eff64622af20f86e7aded31a9d1242a411903e66948cb18
- SSDEEP
  
  12288:Fw17csJbGOxU1bidOWH0VFzFpDYcvttrBt/SFZyXBR1ls/iMdDFcqm/vZwEVn:E7cm+1bidZepDYclVUoX1iaMdRepZ
Score

10^/10

darkcomet darkratz discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Windows security bypass
  evasion trojan
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdarkratzdiscoveryevasionpersistencerattrojan

behavioral2

darkcometdarkratzdiscoveryevasionpersistencerattrojan