darkcomet | 3c6458d4198685245d3d9e84728605fe1828ce58b4dfe3bc3877f36147d010ca | Triage

Sharing

General

Target

JaffaCakes118_1fa63b91fdf9b131613425603f53e4c4
Size

692KB
Sample

250223-kcpsvs1lhm
MD5

1fa63b91fdf9b131613425603f53e4c4
SHA1

22604ae2ea1f289123effacaab65c9f2e53aacd0
SHA256

3c6458d4198685245d3d9e84728605fe1828ce58b4dfe3bc3877f36147d010ca
SHA512

745f40dcbbccfe109fd6abee1c92e6ca293193a726919a689f05af6bf18ac4b746264701ba45a9a52449221ead3b94a6c24b1b280a639b2f231b94cc38ca1755
SSDEEP

12288:YXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Uy:enAw2WWeFcfbP9VPSPMTSPL/rWvzq4JC

Score

10^/10

darkcomet serveur1 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

serveur1

C2

mtltesthost.no-ip.biz:81

mtltesthost.no-ip.biz:1604

Mutex

DC_MUTEX-MURFSM7

Attributes

InstallPath
MSDCSC\winupdate.exe
gencode
tQLs41ntgNEp
install
true
offline_keylogger
true
password
dandy.s.am
persistence
true
reg_key
winupdate

rc4.plain

Targets

- Target
  
  JaffaCakes118_1fa63b91fdf9b131613425603f53e4c4
- Size
  
  692KB
- MD5
  
  1fa63b91fdf9b131613425603f53e4c4
- SHA1
  
  22604ae2ea1f289123effacaab65c9f2e53aacd0
- SHA256
  
  3c6458d4198685245d3d9e84728605fe1828ce58b4dfe3bc3877f36147d010ca
- SHA512
  
  745f40dcbbccfe109fd6abee1c92e6ca293193a726919a689f05af6bf18ac4b746264701ba45a9a52449221ead3b94a6c24b1b280a639b2f231b94cc38ca1755
- SSDEEP
  
  12288:YXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Uy:enAw2WWeFcfbP9VPSPMTSPL/rWvzq4JC
Score

10^/10

darkcomet serveur1 defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  defense_evasion
- Windows security bypass
  defense_evasion trojan
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

serveur1darkcomet

behavioral1

darkcometserveur1defense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometserveur1defense_evasiondiscoverypersistencerattrojan