darkcomet | e1f04c9b99e42c5bb10ccfd7c39143032f2e0bb2ece2059eb7ead0b463ff5f01 | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...84.exe

windows7-x64

JaffaCakes...84.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_a49559a200d60501832dfec97f359084
Size

1.7MB
Sample

250205-2w3bqsxkek
MD5

a49559a200d60501832dfec97f359084
SHA1

ca9e1cc0ab5bb028ab1563ff0bb50d775a001b3a
SHA256

e1f04c9b99e42c5bb10ccfd7c39143032f2e0bb2ece2059eb7ead0b463ff5f01
SHA512

aeda9ea95014ea2e53298d313cb970f65f6dc59d7fcc44fce1d496a132565f21a9a87cf89cb27c6c9acd340c83a1b3d607204fc4510572b07d3de07a5144cce1
SSDEEP

24576:6Un4Pm0DnaOKPdJ2if1iznaThZEvTOPm+qc9Tr2+jgc1:tg5aO3xGfRbe+V

Score

10^/10

darkcomet defense_evasion discovery persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_a49559a200d60501832dfec97f359084.exe

Resource

win7-20240903-en

darkcomet defense_evasion discovery persistence rat trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_a49559a200d60501832dfec97f359084.exe

Resource

win10v2004-20250129-en

darkcomet defense_evasion discovery persistence rat trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_a49559a200d60501832dfec97f359084
- Size
  
  1.7MB
- MD5
  
  a49559a200d60501832dfec97f359084
- SHA1
  
  ca9e1cc0ab5bb028ab1563ff0bb50d775a001b3a
- SHA256
  
  e1f04c9b99e42c5bb10ccfd7c39143032f2e0bb2ece2059eb7ead0b463ff5f01
- SHA512
  
  aeda9ea95014ea2e53298d313cb970f65f6dc59d7fcc44fce1d496a132565f21a9a87cf89cb27c6c9acd340c83a1b3d607204fc4510572b07d3de07a5144cce1
- SSDEEP
  
  24576:6Un4Pm0DnaOKPdJ2if1iznaThZEvTOPm+qc9Tr2+jgc1:tg5aO3xGfRbe+V
Score

10^/10

darkcomet defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Disables RegEdit via registry modification
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometdefense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometdefense_evasiondiscoverypersistencerattrojan

© 2018-2025

Terms | Privacy