darkcomet | 3b92f81a930e9ec017e3cab0afeb1314570390f7ec19ba94a5be367eb91e4b83 | Triage

Sharing

General

Target

JaffaCakes118_77450408bd213a02cde73938a9637ac5
Size

30.5MB
Sample

250104-dpzp9s1jbn
MD5

77450408bd213a02cde73938a9637ac5
SHA1

42646441beb6ffd2b32e5bbe6421af1c03c50e24
SHA256

3b92f81a930e9ec017e3cab0afeb1314570390f7ec19ba94a5be367eb91e4b83
SHA512

d212daa81277715a478726d1de8ebe1b2b7cfc610629a67e343b84f6e7df7b98529e4832c43845b89f76034e7f8f0ae1595ced4b24667f23e79f93b81a680d5c
SSDEEP

24576:bkFoef0wlYuX9D/rJ1RnfjNQfyvL0SpUVPENdOYHSSSSQoS:YFoi0wlYc9zhifyT05VPElg

Score

10^/10

darkcomet spread 1.7.04 bootkit discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

spread 1.7.04

C2

grunz.no-ip.biz:1604

Mutex

DC_MUTEX-VLMMDM0

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
h6v8dGU4NPvm
install
true
offline_keylogger
true
password
hub
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  JaffaCakes118_77450408bd213a02cde73938a9637ac5
- Size
  
  30.5MB
- MD5
  
  77450408bd213a02cde73938a9637ac5
- SHA1
  
  42646441beb6ffd2b32e5bbe6421af1c03c50e24
- SHA256
  
  3b92f81a930e9ec017e3cab0afeb1314570390f7ec19ba94a5be367eb91e4b83
- SHA512
  
  d212daa81277715a478726d1de8ebe1b2b7cfc610629a67e343b84f6e7df7b98529e4832c43845b89f76034e7f8f0ae1595ced4b24667f23e79f93b81a680d5c
- SSDEEP
  
  24576:bkFoef0wlYuX9D/rJ1RnfjNQfyvL0SpUVPENdOYHSSSSQoS:YFoi0wlYc9zhifyT05VPElg
Score

10^/10

darkcomet spread 1.7.04 bootkit discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometspread 1.7.04bootkitdiscoveryevasionpersistencerattrojan

behavioral2

darkcometspread 1.7.04bootkitdiscoveryevasionpersistencerattrojan