darkcomet | 59abfb3dc2750ecb19cf13cc6b444faef555fe9765f5e7351365f3975c82c645 | Triage

Sharing

General

Target

JaffaCakes118_00abdc488cc96e55dbaeb612f0daf259
Size

709KB
Sample

250218-tksn6avls8
MD5

00abdc488cc96e55dbaeb612f0daf259
SHA1

ff79f1b780454ef48cc7c6357ef400c6b710eed9
SHA256

59abfb3dc2750ecb19cf13cc6b444faef555fe9765f5e7351365f3975c82c645
SHA512

41484904ac2bf1dac7ae2db4a98e86a3962cd1af801caf05680342d07d2ad74fa62b72e0ea3a2ea51067193c50f8b88c1a3d04058df9b710e1173ad15a5162bd
SSDEEP

12288:PoSef2t55VV6im3OWFQ1047B9GUd+u/6N40aozt/4ZwyZibQASvezQMDhKIhBoRZ:Po1Ot/VV6XeWF5yJ6S0aq/k6QASMtKds

Score

10^/10

darkcomet windows_update defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Windows_Update

C2

10.111.222.17:1604

Mutex

DC_MUTEX-X1KZAQN

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
gv4NjPEMp�iq
install
true
offline_keylogger
true
password
0123456789
persistence
true
reg_key
winupdater

rc4.plain

Targets

- Target
  
  JaffaCakes118_00abdc488cc96e55dbaeb612f0daf259
- Size
  
  709KB
- MD5
  
  00abdc488cc96e55dbaeb612f0daf259
- SHA1
  
  ff79f1b780454ef48cc7c6357ef400c6b710eed9
- SHA256
  
  59abfb3dc2750ecb19cf13cc6b444faef555fe9765f5e7351365f3975c82c645
- SHA512
  
  41484904ac2bf1dac7ae2db4a98e86a3962cd1af801caf05680342d07d2ad74fa62b72e0ea3a2ea51067193c50f8b88c1a3d04058df9b710e1173ad15a5162bd
- SSDEEP
  
  12288:PoSef2t55VV6im3OWFQ1047B9GUd+u/6N40aozt/4ZwyZibQASvezQMDhKIhBoRZ:Po1Ot/VV6XeWF5yJ6S0aq/k6QASMtKds
Score

10^/10

darkcomet windows_update defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometwindows_updatedefense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometwindows_updatedefense_evasiondiscoverypersistencerattrojan