darkcomet | 1ab08ad3617c24214fae102a148aca6a226ca4ad421150d03cd1b94e0530a1de | Triage

Sharing

General

Target

JaffaCakes118_1e411cf6a3d69cb9114fc3dcd01b7e96
Size

868KB
Sample

250113-cpgzsa1kas
MD5

1e411cf6a3d69cb9114fc3dcd01b7e96
SHA1

cd463436df317092b5c78c65d9003f024ec9089b
SHA256

1ab08ad3617c24214fae102a148aca6a226ca4ad421150d03cd1b94e0530a1de
SHA512

708286d798aa5e862e3c9a7b8f56d49cb7fb50152f523c9a4d3dddba7df81aad3ca6564b88bf594abedba3532206ae929a22dcae94f501d95226eede0121cfe7
SSDEEP

12288:oz2QauE/stl4yFstf0fy1WD3aW7QPCKB2yubdrMpeU/jlCjOXNtQzUkpX:oZaX/y4yly1WD/7QxJedYpprlKynQT

Score

10^/10

darkcomet bootkit discovery persistence rat trojan

Malware Config

Targets

- Target
  
  JaffaCakes118_1e411cf6a3d69cb9114fc3dcd01b7e96
- Size
  
  868KB
- MD5
  
  1e411cf6a3d69cb9114fc3dcd01b7e96
- SHA1
  
  cd463436df317092b5c78c65d9003f024ec9089b
- SHA256
  
  1ab08ad3617c24214fae102a148aca6a226ca4ad421150d03cd1b94e0530a1de
- SHA512
  
  708286d798aa5e862e3c9a7b8f56d49cb7fb50152f523c9a4d3dddba7df81aad3ca6564b88bf594abedba3532206ae929a22dcae94f501d95226eede0121cfe7
- SSDEEP
  
  12288:oz2QauE/stl4yFstf0fy1WD3aW7QPCKB2yubdrMpeU/jlCjOXNtQzUkpX:oZaX/y4yly1WD/7QxJedYpprlKynQT
Score

10^/10

darkcomet bootkit discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometbootkitdiscoverypersistencerattrojan

behavioral2

darkcometbootkitdiscoverypersistencerattrojan