darkcomet | 0c1f4d0d9fc0877e497c15bc89869c019a2a22ea0551af1c5a962689ca9ae328 | Triage

Sharing

General

Target

JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799
Size

1.8MB
Sample

250225-sjd9pssjy6
MD5

227a0f7cb2cbcd3e3de05d9547e83799
SHA1

5a2be3bee31db9b50e068f1f2ad7a23f92b02c31
SHA256

0c1f4d0d9fc0877e497c15bc89869c019a2a22ea0551af1c5a962689ca9ae328
SHA512

daeba0b4948687345b26bedb722a89dddb3257dbd2624bf261e478db9592e17b53f632d5401e0d72b6bc1d4bda252a502089b5665603b79e3eb23efcc4288c9e
SSDEEP

24576:gMC6/tIm6YL6SAhk70Trc/n6Ib6eYWxWhQU/5+eAO3gptmsNpdm0zRndLJbe7g:gM1L+S2kQTArahz5JYz77

Score

10^/10

darkcomet guest16_min discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

178.32.175.242:1604

Mutex

DCMIN_MUTEX-TB6MLVQ

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
M9CjskNV6E0C
install
true
offline_keylogger
true
persistence
false
reg_key
eternalspy

rc4.plain

Targets

- Target
  
  JaffaCakes118_227a0f7cb2cbcd3e3de05d9547e83799
- Size
  
  1.8MB
- MD5
  
  227a0f7cb2cbcd3e3de05d9547e83799
- SHA1
  
  5a2be3bee31db9b50e068f1f2ad7a23f92b02c31
- SHA256
  
  0c1f4d0d9fc0877e497c15bc89869c019a2a22ea0551af1c5a962689ca9ae328
- SHA512
  
  daeba0b4948687345b26bedb722a89dddb3257dbd2624bf261e478db9592e17b53f632d5401e0d72b6bc1d4bda252a502089b5665603b79e3eb23efcc4288c9e
- SSDEEP
  
  24576:gMC6/tIm6YL6SAhk70Trc/n6Ib6eYWxWhQU/5+eAO3gptmsNpdm0zRndLJbe7g:gM1L+S2kQTArahz5JYz77
Score

10^/10

darkcomet guest16_min discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16_mindiscoverypersistencerattrojan

behavioral2

darkcometdiscoverypersistencerattrojan