darkcomet | 74ab8a09aba00d9ebd40dc1e79617569d02001af2f54dd3423eff005efd6e2da | Triage

Sharing

General

Target

JaffaCakes118_1d21b5225c9e2d9d4702693de1421100
Size

987KB
Sample

250223-ackh2aspen
MD5

1d21b5225c9e2d9d4702693de1421100
SHA1

0f4135f31bc8c90f36fabeb59dc9c1416ac12ec1
SHA256

74ab8a09aba00d9ebd40dc1e79617569d02001af2f54dd3423eff005efd6e2da
SHA512

148edc9e651c095c1e0f38f122ad53f8aa46354923adb34b9f925b2af632b2ababf02d9c4ec7639d7f708b912c579fc690db5b8abe1b415190d7297bc4cc0bd7
SSDEEP

24576:oqqhNZFR9J1Bt5l6ON2L7quimaeSWKOCGbUWSeaGCOK2y+p/kEquimaeSWKOCGhq:ok+1L/u68XjS8FxqUW

Score

10^/10

darkcomet kurban5 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

kurban5

C2

uyt.hopto.org:998

Mutex

DC_MUTEX-KJWSWZW

Attributes

InstallPath
Drivers\google.exe
gencode
3kiBly+Y*9J�
install
true
offline_keylogger
true
persistence
false
reg_key
google

rc4.plain

Targets

- Target
  
  JaffaCakes118_1d21b5225c9e2d9d4702693de1421100
- Size
  
  987KB
- MD5
  
  1d21b5225c9e2d9d4702693de1421100
- SHA1
  
  0f4135f31bc8c90f36fabeb59dc9c1416ac12ec1
- SHA256
  
  74ab8a09aba00d9ebd40dc1e79617569d02001af2f54dd3423eff005efd6e2da
- SHA512
  
  148edc9e651c095c1e0f38f122ad53f8aa46354923adb34b9f925b2af632b2ababf02d9c4ec7639d7f708b912c579fc690db5b8abe1b415190d7297bc4cc0bd7
- SSDEEP
  
  24576:oqqhNZFR9J1Bt5l6ON2L7quimaeSWKOCGbUWSeaGCOK2y+p/kEquimaeSWKOCGhq:ok+1L/u68XjS8FxqUW
Score

10^/10

darkcomet kurban5 discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometkurban5discoverypersistencerattrojan

behavioral2

darkcometkurban5discoverypersistencerattrojan