darkcomet | ae6e952450c6e35bfd8f822b5b2b25dc87c90a6b042a597d3f5947b0e7935d56 | Triage

Sharing

General

Target

JaffaCakes118_6d0073f6687511c35e8d39f3e8131756
Size

658KB
Sample

250103-qv8xcazjgk
MD5

6d0073f6687511c35e8d39f3e8131756
SHA1

7e42f148dc800d89e58405e269270c21f055b6d9
SHA256

ae6e952450c6e35bfd8f822b5b2b25dc87c90a6b042a597d3f5947b0e7935d56
SHA512

c4a58b67cae2c64307e77627ca303d3e39ef453d9c1a49d52c1dc111c65bd82495c7ae64ca27373848d29971cc20ac27de8f4daa543c1a5bc9f4da3a810d3147
SSDEEP

12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hq:+Z1xuVVjfFoynPaVBUR8f+kN10EBM

Score

10^/10

darkcomet victim discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victim

C2

tralalalalala.no-ip.biz:52270

Mutex

DCMIN_MUTEX-KGWGF07

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
0bwYxtYBJ6BM
install
true
offline_keylogger
true
persistence
false
reg_key
tr

Targets

- Target
  
  JaffaCakes118_6d0073f6687511c35e8d39f3e8131756
- Size
  
  658KB
- MD5
  
  6d0073f6687511c35e8d39f3e8131756
- SHA1
  
  7e42f148dc800d89e58405e269270c21f055b6d9
- SHA256
  
  ae6e952450c6e35bfd8f822b5b2b25dc87c90a6b042a597d3f5947b0e7935d56
- SHA512
  
  c4a58b67cae2c64307e77627ca303d3e39ef453d9c1a49d52c1dc111c65bd82495c7ae64ca27373848d29971cc20ac27de8f4daa543c1a5bc9f4da3a810d3147
- SSDEEP
  
  12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hq:+Z1xuVVjfFoynPaVBUR8f+kN10EBM
Score

10^/10

darkcomet victim discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

victimdarkcomet

behavioral1

darkcometvictimdiscoverypersistencerattrojan

behavioral2

darkcometvictimdiscoverypersistencerattrojan