darkcomet | 161140b3b7c0f370bc98c8c5047edc4db2bef762b682bcb3c51b35c853bee4aa | Triage

Sharing

General

Target

JaffaCakes118_29639edc08702e91c7e4fa3f73adaa0b
Size

1.4MB
Sample

250227-aavwzsxwhx
MD5

29639edc08702e91c7e4fa3f73adaa0b
SHA1

355ab1e0bd2b377d879f6d2fc0f32ec060d788b8
SHA256

161140b3b7c0f370bc98c8c5047edc4db2bef762b682bcb3c51b35c853bee4aa
SHA512

d83a0655e9ff779bcb86bf2a39e9594fcfe5d9774c058f49d77e06e23a75cf01079c31df45835730b6931673f7fd7914f59c2203ce336cdde967ca6169bd711f
SSDEEP

24576:BRmJkcoQricOIQxiZY1jaeBcTlNLuJVC6CZJDvarkYtBBa6i0D:uJZoQrbTFZY1jaeBcTlNCO6g9vaY6QOD

Score

10^/10

darkcomet server defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

Server

C2

zcto.zapto.org:1604

Mutex

DC_MUTEX-FYTWRUF

Attributes

InstallPath
Explorer\Explorer.exe
gencode
vMjrDJ6jv5VW
install
true
offline_keylogger
true
persistence
true
reg_key
Explorer

rc4.plain

Targets

- Target
  
  JaffaCakes118_29639edc08702e91c7e4fa3f73adaa0b
- Size
  
  1.4MB
- MD5
  
  29639edc08702e91c7e4fa3f73adaa0b
- SHA1
  
  355ab1e0bd2b377d879f6d2fc0f32ec060d788b8
- SHA256
  
  161140b3b7c0f370bc98c8c5047edc4db2bef762b682bcb3c51b35c853bee4aa
- SHA512
  
  d83a0655e9ff779bcb86bf2a39e9594fcfe5d9774c058f49d77e06e23a75cf01079c31df45835730b6931673f7fd7914f59c2203ce336cdde967ca6169bd711f
- SSDEEP
  
  24576:BRmJkcoQricOIQxiZY1jaeBcTlNLuJVC6CZJDvarkYtBBa6i0D:uJZoQrbTFZY1jaeBcTlNCO6g9vaY6QOD
Score

10^/10

darkcomet server defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  defense_evasion
- Modifies security service
  defense_evasion
- Windows security bypass
  defense_evasion trojan
- Disables RegEdit via registry modification
  defense_evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometserverdefense_evasiondiscoverypersistencerattrojan

behavioral2