darkcomet | 3b14c3713630bed5f72738e402d82eba4d07f14bc14c0945c14b0424a4894560 | Triage

Sharing

General

Target

JaffaCakes118_678cce26caba12d63851afc55fdee867
Size

1.3MB
Sample

250102-xw12fssjgz
MD5

678cce26caba12d63851afc55fdee867
SHA1

296b3517e29afcaa35c19a26e62f206b56c18a05
SHA256

3b14c3713630bed5f72738e402d82eba4d07f14bc14c0945c14b0424a4894560
SHA512

4d2cfbbf3a7af785cb17ac38d8e416e4577574e8690bcbcf0c2001ce69bbe8f404300683e6f974c452e6b783b35ff1d1a14ab32c76308d0ceafbbc48f0298c15
SSDEEP

24576:DZRRDQrveoR31b9lUjjEJCNEeSDDoyY3GsYe4qHasSMXLqT2KBFGKaDB3vQCGtUO:VRRMvFFxWIJOyDG3we4qrXLBKgB4aOl

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Targets

- Target
  
  JaffaCakes118_678cce26caba12d63851afc55fdee867
- Size
  
  1.3MB
- MD5
  
  678cce26caba12d63851afc55fdee867
- SHA1
  
  296b3517e29afcaa35c19a26e62f206b56c18a05
- SHA256
  
  3b14c3713630bed5f72738e402d82eba4d07f14bc14c0945c14b0424a4894560
- SHA512
  
  4d2cfbbf3a7af785cb17ac38d8e416e4577574e8690bcbcf0c2001ce69bbe8f404300683e6f974c452e6b783b35ff1d1a14ab32c76308d0ceafbbc48f0298c15
- SSDEEP
  
  24576:DZRRDQrveoR31b9lUjjEJCNEeSDDoyY3GsYe4qHasSMXLqT2KBFGKaDB3vQCGtUO:VRRMvFFxWIJOyDG3we4qrXLBKgB4aOl
Score

10^/10

darkcomet discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdiscoveryevasionpersistencerattrojan

behavioral2