darkcomet | 47a8bbcdbacf5ffc6824fab2b4dd3d0625174f9d68aa67fd0eece5ce9fd2d7db | Triage

Sharing

General

Target

JaffaCakes118_07c0b59dee261086d7a85b18bf4c1689
Size

1.2MB
Sample

250219-zxpqxsynft
MD5

07c0b59dee261086d7a85b18bf4c1689
SHA1

a5914159aa80b1b4edca311344bd8d49331fb62f
SHA256

47a8bbcdbacf5ffc6824fab2b4dd3d0625174f9d68aa67fd0eece5ce9fd2d7db
SHA512

a62a654a07f9a6d71a30f0189b03c27008594aabdc7819e0a9d63d75297a42bb3014de64d07c25a52518ff590b433f38d5289d99a80105817955adf10247afef
SSDEEP

12288:zRz5f7CiUySyZplm/VK7Ba1gMUIC2DjxOCDQtaHehQK8y5Av3vW1pIhrRRhsLrIu:zRdfUkC94sUC/vnakTTjcccV

Score

10^/10

darkcomet zombk defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

zombk

C2

zombk.no-ip.org:1500

127.0.0.1:1500

192.168.1.43:1500

Mutex

DC_MUTEX-DR20D9S

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
2hEkSK4e2CCs
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

rc4.plain

Targets

- Target
  
  JaffaCakes118_07c0b59dee261086d7a85b18bf4c1689
- Size
  
  1.2MB
- MD5
  
  07c0b59dee261086d7a85b18bf4c1689
- SHA1
  
  a5914159aa80b1b4edca311344bd8d49331fb62f
- SHA256
  
  47a8bbcdbacf5ffc6824fab2b4dd3d0625174f9d68aa67fd0eece5ce9fd2d7db
- SHA512
  
  a62a654a07f9a6d71a30f0189b03c27008594aabdc7819e0a9d63d75297a42bb3014de64d07c25a52518ff590b433f38d5289d99a80105817955adf10247afef
- SSDEEP
  
  12288:zRz5f7CiUySyZplm/VK7Ba1gMUIC2DjxOCDQtaHehQK8y5Av3vW1pIhrRRhsLrIu:zRdfUkC94sUC/vnakTTjcccV
Score

10^/10

discovery darkcomet zombk defense_evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Boot or Logon Autostart Execution: Port Monitors
  Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Port Monitors

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Port Monitors

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

darkcometzombkdefense_evasiondiscoverypersistencerattrojan