darkcomet | 15c38b1065fd5b98f2b746a9ae46474a444a3d098affe9193a398ddecbbdeb22 | Triage

Sharing

General

Target

JaffaCakes118_23f5074688b13a521b968487fa7f19e1
Size

2.6MB
Sample

250226-gp6qcstlt5
MD5

23f5074688b13a521b968487fa7f19e1
SHA1

fe2d40789c62c04b66dcf11fc326817133a6c02f
SHA256

15c38b1065fd5b98f2b746a9ae46474a444a3d098affe9193a398ddecbbdeb22
SHA512

8304fc85c2154ebdd85807e1f29bfa53067719c09e386ca6eaf98ab1d3818c758990cee8b234b27914fd392ae63e80100239b6ab626733cf327f704fd56958ea
SSDEEP

49152:jNze6uEdvuLyikJiybRikJiybRP96Lq1vaAE3UgxFbTGkyrXI7:Y6uxG/2q1vnE3UiFvGXk

Score

10^/10

darkcomet swag defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Swag

C2

lundinozz.no-ip.biz:200

Mutex

DC_MUTEX-W7UQE4H

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
CPFr4CCMv1Tm
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Targets

- Target
  
  JaffaCakes118_23f5074688b13a521b968487fa7f19e1
- Size
  
  2.6MB
- MD5
  
  23f5074688b13a521b968487fa7f19e1
- SHA1
  
  fe2d40789c62c04b66dcf11fc326817133a6c02f
- SHA256
  
  15c38b1065fd5b98f2b746a9ae46474a444a3d098affe9193a398ddecbbdeb22
- SHA512
  
  8304fc85c2154ebdd85807e1f29bfa53067719c09e386ca6eaf98ab1d3818c758990cee8b234b27914fd392ae63e80100239b6ab626733cf327f704fd56958ea
- SSDEEP
  
  49152:jNze6uEdvuLyikJiybRikJiybRP96Lq1vaAE3UgxFbTGkyrXI7:Y6uxG/2q1vnE3UiFvGXk
Score

10^/10

darkcomet swag defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometswagdefense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometswagdefense_evasiondiscoverypersistencerattrojan