darkcomet | a79d139f574ab456c8f8bfdad569ebbf090d4ad1d4e63ede6941ec650c533eac | Triage

Sharing

General

Target

JaffaCakes118_e707fc89bd2d508e50634e1152e5521e
Size

745KB
Sample

250211-q853lsvlas
MD5

e707fc89bd2d508e50634e1152e5521e
SHA1

ab22967d33aad6bbb7cbc0a8d9c2c7b52011fcd4
SHA256

a79d139f574ab456c8f8bfdad569ebbf090d4ad1d4e63ede6941ec650c533eac
SHA512

64666a6e91f996a89546038b165887b19485142ba13a4300688ef721b67a69de24218fa0b72d4109256afbbee06f1e7e41d639dbb38268375ecda155404c2f0f
SSDEEP

12288:MaAchpWsuVTv7ItY8XljyypHPucOLBev03hlULsmWZ++09ZcKDVsgdVl:tAEENIq8XwyVPxclDq/+WnpsS

Score

10^/10

darkcomet guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

omaromar.zapto.org:1604

Mutex

DC_MUTEX-F54S21D

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
6tQz%Mw98*5R
install
true
offline_keylogger
true
persistence
false
reg_key
winupdater

rc4.plain

Targets

- Target
  
  JaffaCakes118_e707fc89bd2d508e50634e1152e5521e
- Size
  
  745KB
- MD5
  
  e707fc89bd2d508e50634e1152e5521e
- SHA1
  
  ab22967d33aad6bbb7cbc0a8d9c2c7b52011fcd4
- SHA256
  
  a79d139f574ab456c8f8bfdad569ebbf090d4ad1d4e63ede6941ec650c533eac
- SHA512
  
  64666a6e91f996a89546038b165887b19485142ba13a4300688ef721b67a69de24218fa0b72d4109256afbbee06f1e7e41d639dbb38268375ecda155404c2f0f
- SSDEEP
  
  12288:MaAchpWsuVTv7ItY8XljyypHPucOLBev03hlULsmWZ++09ZcKDVsgdVl:tAEENIq8XwyVPxclDq/+WnpsS
Score

10^/10

darkcomet guest16 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16discoverypersistencerattrojan

behavioral2

darkcometguest16discoverypersistencerattrojan