darkcomet | 105744effd85b1afe3c9c6d5107a43cbb054aef1946a9214a2cbf33e8c35f745 | Triage

Submit
Reports

Overview

overview

Static

static

7

JaffaCakes...d2.exe

windows7-x64

JaffaCakes...d2.exe

windows10-2004-x64

7

Sharing

General

Target

JaffaCakes118_2cf872857dfedfb5cfbd0aa8d60680d2
Size

907KB
Sample

250227-ntdzgaxjt8
MD5

2cf872857dfedfb5cfbd0aa8d60680d2
SHA1

2751ff50ff652a2dbeaef8bd35c398a14462050e
SHA256

105744effd85b1afe3c9c6d5107a43cbb054aef1946a9214a2cbf33e8c35f745
SHA512

7dec920e2740d3aae5111dfd490ea3db2f7623a5f32bf583983caca27bb5a9554721a2ce587be43a5b4acac9aec998d12bd00f71a06da61f00c38ed6506a3804
SSDEEP

12288:qxRHlC84eaDsdMI2R/I+neRKYlZ6u7jgPL2dLhF2xQGBLwP11wbPTmROzCppg6pf:k685a4dJ+c6uPgPoLOBH0A4DGS

Score

10^/10

darkcomet windows aspackv2 defense_evasion discovery persistence rat themida trojan

Static task

static1

aspackv2 themida

3 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_2cf872857dfedfb5cfbd0aa8d60680d2.exe

Resource

win7-20240903-en

darkcomet windows defense_evasion discovery persistence rat themida trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_2cf872857dfedfb5cfbd0aa8d60680d2.exe

Resource

win10v2004-20250217-en

defense_evasion discovery themida

windows10-2004-x64

3 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

windows

C2

dynamichost.no-ip.org:1604

Mutex

DC_MUTEX-T7SQWEY

Attributes

InstallPath
explorer.exe
gencode
S$51*+FXvRd2
install
true
offline_keylogger
true
persistence
true
reg_key
winupdater

rc4.plain

Targets

- Target
  
  JaffaCakes118_2cf872857dfedfb5cfbd0aa8d60680d2
- Size
  
  907KB
- MD5
  
  2cf872857dfedfb5cfbd0aa8d60680d2
- SHA1
  
  2751ff50ff652a2dbeaef8bd35c398a14462050e
- SHA256
  
  105744effd85b1afe3c9c6d5107a43cbb054aef1946a9214a2cbf33e8c35f745
- SHA512
  
  7dec920e2740d3aae5111dfd490ea3db2f7623a5f32bf583983caca27bb5a9554721a2ce587be43a5b4acac9aec998d12bd00f71a06da61f00c38ed6506a3804
- SSDEEP
  
  12288:qxRHlC84eaDsdMI2R/I+neRKYlZ6u7jgPL2dLhF2xQGBLwP11wbPTmROzCppg6pf:k685a4dJ+c6uPgPoLOBH0A4DGS
Score

10^/10

darkcomet windows defense_evasion discovery persistence rat themida trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

aspackv2themida

behavioral1

darkcometwindowsdefense_evasiondiscoverypersistenceratthemidatrojan

behavioral2

defense_evasiondiscoverythemida

© 2018-2025

Terms | Privacy