darkcomet | 541937733ed06c1bded0e820bbfd1d986c7b9a394c0a0d665ab53e077b6461b5 | Triage

Sharing

General

Target

JaffaCakes118_001893cda7d0370788b0f8d6d4b44594
Size

752KB
Sample

250218-qq6lesskt5
MD5

001893cda7d0370788b0f8d6d4b44594
SHA1

a2deff93b3ea200ad69edd3bb8dddddf2e9c3603
SHA256

541937733ed06c1bded0e820bbfd1d986c7b9a394c0a0d665ab53e077b6461b5
SHA512

c5d4379a929c1324b33a88044e7b3fea9fae8d650e1ad98f95b9854ba90a061931ff812cd61d8d1bfd29de7971e8973d67d8ae7fb8dfafafe70aa8715b853e20
SSDEEP

12288:X6Al3AtpCrcXbwH0AMn+7QW95VYnZQwZH03xouaxUnDSInhZJBKOQLY2tbEnrStL:X6ApAtpCXH0AT95VZop0ibOo9L

Score

10^/10

darkcomet server discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

Server

C2

nxxbkiller.no-ip.biz:1234

Mutex

DC_MUTEX-XFXXMQ4

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
pAYlnCRBTHkl
install
true
offline_keylogger
true
password
12345
persistence
true
reg_key
winupdater

rc4.plain

Targets

- Target
  
  JaffaCakes118_001893cda7d0370788b0f8d6d4b44594
- Size
  
  752KB
- MD5
  
  001893cda7d0370788b0f8d6d4b44594
- SHA1
  
  a2deff93b3ea200ad69edd3bb8dddddf2e9c3603
- SHA256
  
  541937733ed06c1bded0e820bbfd1d986c7b9a394c0a0d665ab53e077b6461b5
- SHA512
  
  c5d4379a929c1324b33a88044e7b3fea9fae8d650e1ad98f95b9854ba90a061931ff812cd61d8d1bfd29de7971e8973d67d8ae7fb8dfafafe70aa8715b853e20
- SSDEEP
  
  12288:X6Al3AtpCrcXbwH0AMn+7QW95VYnZQwZH03xouaxUnDSInhZJBKOQLY2tbEnrStL:X6ApAtpCXH0AT95VZop0ibOo9L
Score

10^/10

darkcomet server discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometserverdiscoverypersistencerattrojan

behavioral2

darkcometserverdiscoverypersistencerattrojan