darkcomet | 7ebbc6ba5361d4824e880c9dd7196066b480555d731fb10f9c90a7060eb8808c | Triage

Sharing

General

Target

JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a
Size

830KB
Sample

250301-eqzbkazq13
MD5

36a2e0b03acc09b7d7bde9ecbc29884a
SHA1

f7fb16c7db12ab0f459c1d257bd8633971ac4ec2
SHA256

7ebbc6ba5361d4824e880c9dd7196066b480555d731fb10f9c90a7060eb8808c
SHA512

83c5e1c667bba2699c05efd9f23d5201859d6b79f55b2ade025de5831e36eff15cd8bf4278329c8011d6a7d40fd82b013da97a8406dc6420e0718a9c0f9b48f5
SSDEEP

12288:hAWFyFMup2DnS6VrFYj7fjYDl0d6KxDTe4eHfIWM9HjbuW/7fPHZOem:CIuMk2DnS6VrQ2gDTrebM9HjV/bPHlm

Score

10^/10

darkcomet victima discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

victima

C2

testers28.no-ip.org:1111

Mutex

DC_MUTEX-1GF3HUC

Attributes

InstallPath
JavaRE\bin\Java.exe
gencode
CiJev6UZ6jH*
install
true
offline_keylogger
true
password
1234
persistence
false
reg_key
Java

rc4.plain

Targets

- Target
  
  JaffaCakes118_36a2e0b03acc09b7d7bde9ecbc29884a
- Size
  
  830KB
- MD5
  
  36a2e0b03acc09b7d7bde9ecbc29884a
- SHA1
  
  f7fb16c7db12ab0f459c1d257bd8633971ac4ec2
- SHA256
  
  7ebbc6ba5361d4824e880c9dd7196066b480555d731fb10f9c90a7060eb8808c
- SHA512
  
  83c5e1c667bba2699c05efd9f23d5201859d6b79f55b2ade025de5831e36eff15cd8bf4278329c8011d6a7d40fd82b013da97a8406dc6420e0718a9c0f9b48f5
- SSDEEP
  
  12288:hAWFyFMup2DnS6VrFYj7fjYDl0d6KxDTe4eHfIWM9HjbuW/7fPHZOem:CIuMk2DnS6VrQ2gDTrebM9HjV/bPHlm
Score

10^/10

darkcomet victima discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometvictimadiscoverypersistencerattrojan

behavioral2

darkcometvictimadiscoverypersistencerattrojan