darkcomet | a5b6a5a91945f35f2489ee473e0effa1ff4838a18de47c4af3121926d296a7d1 | Triage

Sharing

General

Target

JaffaCakes118_2df12d1179404ecf99091fc75f315837
Size

719KB
Sample

250125-vw9mgssqax
MD5

2df12d1179404ecf99091fc75f315837
SHA1

112cbe59057674cfa6b66c3524ba7ace48b0afad
SHA256

a5b6a5a91945f35f2489ee473e0effa1ff4838a18de47c4af3121926d296a7d1
SHA512

f6cb30884982f76283c506a4bc38e9cb63ea335efc99fa9980744f06f9e47aaf2159a66764de48d801df3e84ba22810c7ae8ba9c91e92ae3abe8cd01f8433069
SSDEEP

12288:gqdVQkLvAXIm/h0PJ1JGRwii53ho0VwFFct8MT/jifjcrjpTw:gmVQkLvAv0PJ1JGdaho0Vwc8O2bmxw

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-8BPSXEG

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
QgNShfJAD75r
install
true
offline_keylogger
true
password
12345
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  JaffaCakes118_2df12d1179404ecf99091fc75f315837
- Size
  
  719KB
- MD5
  
  2df12d1179404ecf99091fc75f315837
- SHA1
  
  112cbe59057674cfa6b66c3524ba7ace48b0afad
- SHA256
  
  a5b6a5a91945f35f2489ee473e0effa1ff4838a18de47c4af3121926d296a7d1
- SHA512
  
  f6cb30884982f76283c506a4bc38e9cb63ea335efc99fa9980744f06f9e47aaf2159a66764de48d801df3e84ba22810c7ae8ba9c91e92ae3abe8cd01f8433069
- SSDEEP
  
  12288:gqdVQkLvAXIm/h0PJ1JGRwii53ho0VwFFct8MT/jifjcrjpTw:gmVQkLvAv0PJ1JGdaho0Vwc8O2bmxw
Score

10^/10

darkcomet guest16 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16discoverypersistencerattrojan

behavioral2

darkcometguest16discoverypersistencerattrojan