darkcomet | 78461eb689a9ffe0edb5b3481cbd5f90c7418a2472be81b886563973314a4654 | Triage

Sharing

General

Target

JaffaCakes118_786b98bcff876f951273fed95487eb00
Size

818KB
Sample

250104-h9azvsyqdz
MD5

786b98bcff876f951273fed95487eb00
SHA1

cb93b11234aa9ac2d2b6bf6a40dadb59c435f448
SHA256

78461eb689a9ffe0edb5b3481cbd5f90c7418a2472be81b886563973314a4654
SHA512

95f6c959f3fe51f234d315d749d1cc4cafb4ba027638c72b6a75a7de3339d5484a77d6244ca38fc8f958ef331093a76cd92ab54f1088354cd905e87e51909e82
SSDEEP

24576:BK4U9Ot+ogFV7gxzq6SOEo9no4DtLIBbl+z2kT:o4Uw+LF9gJL+om61j

Score

10^/10

darkcomet slave discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

C2

ghost1997.no-ip.biz:1337

Mutex

DC_MUTEX-AZZ26SG

Attributes

gencode
v1pe6tD2bNTU
install
false
offline_keylogger
true
persistence
false

Targets

- Target
  
  JaffaCakes118_786b98bcff876f951273fed95487eb00
- Size
  
  818KB
- MD5
  
  786b98bcff876f951273fed95487eb00
- SHA1
  
  cb93b11234aa9ac2d2b6bf6a40dadb59c435f448
- SHA256
  
  78461eb689a9ffe0edb5b3481cbd5f90c7418a2472be81b886563973314a4654
- SHA512
  
  95f6c959f3fe51f234d315d749d1cc4cafb4ba027638c72b6a75a7de3339d5484a77d6244ca38fc8f958ef331093a76cd92ab54f1088354cd905e87e51909e82
- SSDEEP
  
  24576:BK4U9Ot+ogFV7gxzq6SOEo9no4DtLIBbl+z2kT:o4Uw+LF9gJL+om61j
Score

10^/10

darkcomet slave discovery evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Windows security bypass
  evasion trojan
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometslavediscoveryevasionpersistencerattrojan

behavioral2

darkcometslavediscoveryevasionpersistencerattrojan