darkcomet | 66b290bd6e0e5c86115f902a522bcf392c74439ee501cfbcbcfd177c3b6e1ac0 | Triage

Sharing

General

Target

JaffaCakes118_ea8b87801bb8b0f57c091264a1e92152
Size

691KB
Sample

250211-1jf3asspbr
MD5

ea8b87801bb8b0f57c091264a1e92152
SHA1

31a8d44f2babcf54dcc64335f69de3a5c543f4a7
SHA256

66b290bd6e0e5c86115f902a522bcf392c74439ee501cfbcbcfd177c3b6e1ac0
SHA512

640813afa9e4a60ea4ffca18751dab92f3512beb6d161e42646651b1fd7480ac91db4314ffafa1617b2237df28ef2a521371c9aedc014a3be457520f0c1cbacb
SSDEEP

12288:vGfWXLjuau1NGcCd5VpJslcXIPbdH7Ojtfuju+YzXDy0dIhKpk:vRXLTu1Nudl6IIPbB7q

Score

10^/10

darkcomet hijack defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Hijack

C2

abcdgl.mooo.com:1604

winrarsfx.linkpc.net:1604

glhacker.zapto.org:1604

winrarsfx.zapto.org:1604

Mutex

DC_MUTEX-7HFL2F5

Attributes

InstallPath
Microsoft\msdcsc.exe
gencode
BwrRwkSkXJa3
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Targets

- Target
  
  JaffaCakes118_ea8b87801bb8b0f57c091264a1e92152
- Size
  
  691KB
- MD5
  
  ea8b87801bb8b0f57c091264a1e92152
- SHA1
  
  31a8d44f2babcf54dcc64335f69de3a5c543f4a7
- SHA256
  
  66b290bd6e0e5c86115f902a522bcf392c74439ee501cfbcbcfd177c3b6e1ac0
- SHA512
  
  640813afa9e4a60ea4ffca18751dab92f3512beb6d161e42646651b1fd7480ac91db4314ffafa1617b2237df28ef2a521371c9aedc014a3be457520f0c1cbacb
- SSDEEP
  
  12288:vGfWXLjuau1NGcCd5VpJslcXIPbdH7Ojtfuju+YzXDy0dIhKpk:vRXLTu1Nudl6IIPbB7q
Score

10^/10

darkcomet hijack defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  defense_evasion
- Downloads MZ/PE file
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomethijackdefense_evasiondiscoverypersistencerattrojan

behavioral2

darkcomethijackdefense_evasiondiscoverypersistencerattrojan