darkcomet | 53acd5f520a5a12605e262e8ac057dc58652bb31adabe17e319e4638e73a51d2 | Triage

Sharing

General

Target

JaffaCakes118_b6ab3d7bdb56f0c8c26d91eae185b923
Size

647KB
Sample

250207-nx3f8s1jdl
MD5

b6ab3d7bdb56f0c8c26d91eae185b923
SHA1

b74edc4ade72b208ee0272d29e36c6cffd296e2f
SHA256

53acd5f520a5a12605e262e8ac057dc58652bb31adabe17e319e4638e73a51d2
SHA512

cff68090a3277290b3f7666ce3114a2eece09fb1ae8555b08375c7bc38afc8b3f831974d4411c1b0150f2407d19cd4e908433ef080fa39ad4c9ee87a9a228564
SSDEEP

12288:A8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixR:5UKoN0bUxgGa/pfBHDb+y1HgZj

Score

10^/10

darkcomet guest2 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest2

C2

127.0.0.1:1604

Mutex

DC_MUTEX-6EMK09R

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
ff=YeNz#=NJr
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Targets

- Target
  
  JaffaCakes118_b6ab3d7bdb56f0c8c26d91eae185b923
- Size
  
  647KB
- MD5
  
  b6ab3d7bdb56f0c8c26d91eae185b923
- SHA1
  
  b74edc4ade72b208ee0272d29e36c6cffd296e2f
- SHA256
  
  53acd5f520a5a12605e262e8ac057dc58652bb31adabe17e319e4638e73a51d2
- SHA512
  
  cff68090a3277290b3f7666ce3114a2eece09fb1ae8555b08375c7bc38afc8b3f831974d4411c1b0150f2407d19cd4e908433ef080fa39ad4c9ee87a9a228564
- SSDEEP
  
  12288:A8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixR:5UKoN0bUxgGa/pfBHDb+y1HgZj
Score

10^/10

darkcomet guest2 defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  defense_evasion
- Windows security bypass
  defense_evasion trojan
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest2darkcomet

behavioral1

darkcometguest2defense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometguest2defense_evasiondiscoverypersistencerattrojan