darkcomet | fe5b4c40629f0661df5675187d66ab20854b94d9c18c1eddc6cf8e4655cd67c5 | Triage

Sharing

General

Target

JaffaCakes118_1c93fe7ce6190c5224fa4e2d172f75a0
Size

764KB
Sample

250222-14qggazmbx
MD5

1c93fe7ce6190c5224fa4e2d172f75a0
SHA1

798ee0ca8b2f8cb9835ea4aad4d67aa7faf6193d
SHA256

fe5b4c40629f0661df5675187d66ab20854b94d9c18c1eddc6cf8e4655cd67c5
SHA512

21958971731e48aa2c44250a4d21aab3e0a721ad8db32a9080ef301afd9e24b0b3f878a34e622d91789fffb60b787f8fceb5109bc82ee8e8929bb1ae3d702720
SSDEEP

12288:cP0GTFwIh4EY1awKtBnrtw8bzRpyMObDkeFsB7pyCEbSTiTwRkfy9h4ORA/KjWHZ:cpTFwFoXBnpw8bzRhObDkvEbSDKC2UmV

Score

10^/10

darkcomet hacker defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

HackeR

C2

mrdn.no-ip.biz:1604

Mutex

DC_MUTEX-Q6895E2

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
kShoAudoUsCr
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Targets

- Target
  
  JaffaCakes118_1c93fe7ce6190c5224fa4e2d172f75a0
- Size
  
  764KB
- MD5
  
  1c93fe7ce6190c5224fa4e2d172f75a0
- SHA1
  
  798ee0ca8b2f8cb9835ea4aad4d67aa7faf6193d
- SHA256
  
  fe5b4c40629f0661df5675187d66ab20854b94d9c18c1eddc6cf8e4655cd67c5
- SHA512
  
  21958971731e48aa2c44250a4d21aab3e0a721ad8db32a9080ef301afd9e24b0b3f878a34e622d91789fffb60b787f8fceb5109bc82ee8e8929bb1ae3d702720
- SSDEEP
  
  12288:cP0GTFwIh4EY1awKtBnrtw8bzRpyMObDkeFsB7pyCEbSTiTwRkfy9h4ORA/KjWHZ:cpTFwFoXBnpw8bzRhObDkvEbSDKC2UmV
Score

10^/10

darkcomet hacker defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Windows security bypass
  defense_evasion trojan
- Disables RegEdit via registry modification
  defense_evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomethackerdefense_evasiondiscoverypersistencerattrojan

behavioral2

darkcomethackerdefense_evasiondiscoverypersistencerattrojan