darkcomet | 1243f5ee305134d58fbc631d13721edd2a3f4887a6f6153a207dbfb357c1151d | Triage

Sharing

General

Target

JaffaCakes118_f16ef2c3f71f856098faf2a12ebf7d58
Size

1.6MB
Sample

250212-s52xwsxqhs
MD5

f16ef2c3f71f856098faf2a12ebf7d58
SHA1

5f4a0ff4c8719c7e9cba8dc9df60c5fb3c301879
SHA256

1243f5ee305134d58fbc631d13721edd2a3f4887a6f6153a207dbfb357c1151d
SHA512

b7115cd3326612af0e43e487d2cf75d055cc8392c925b18d1a6784077f7d5a5afaeb43cbc62296cd46c78c1334e65416a121db101635e096ea92eb17d02b94bf
SSDEEP

24576:2IGD/tkRGc/bJ3q4rT4MRdMOkWCn5SHH6QC7djRaxFcPxX:ElkRGc964v4MR3Q5jIxOP

Score

10^/10

darkcomet id-01 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

ID-01

C2

213.190.57.17:4411

Mutex

DC_MUTEX-H8BKTPK

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
b�VUJ6rG.XLP
install
true
offline_keylogger
true
password
wtf?end
persistence
true
reg_key
winupdater

rc4.plain

Targets

- Target
  
  JaffaCakes118_f16ef2c3f71f856098faf2a12ebf7d58
- Size
  
  1.6MB
- MD5
  
  f16ef2c3f71f856098faf2a12ebf7d58
- SHA1
  
  5f4a0ff4c8719c7e9cba8dc9df60c5fb3c301879
- SHA256
  
  1243f5ee305134d58fbc631d13721edd2a3f4887a6f6153a207dbfb357c1151d
- SHA512
  
  b7115cd3326612af0e43e487d2cf75d055cc8392c925b18d1a6784077f7d5a5afaeb43cbc62296cd46c78c1334e65416a121db101635e096ea92eb17d02b94bf
- SSDEEP
  
  24576:2IGD/tkRGc/bJ3q4rT4MRdMOkWCn5SHH6QC7djRaxFcPxX:ElkRGc964v4MR3Q5jIxOP
Score

10^/10

darkcomet id-01 defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Downloads MZ/PE file
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometid-01defense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometid-01defense_evasiondiscoverypersistencerattrojan