darkcomet | bffdb13b50fb76a4e85e4e027e166271dbe2cc9ccaf19fbff4ba8cfeeb6ea297 | Triage

Sharing

General

Target

JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868
Size

1.0MB
Sample

250301-jbt6hst1hy
MD5

37969e3e1072e63d7b7cb3a4589da868
SHA1

7322c4e785f823a88bac1a1905b6a9552a813ff6
SHA256

bffdb13b50fb76a4e85e4e027e166271dbe2cc9ccaf19fbff4ba8cfeeb6ea297
SHA512

9b20b52d83a740cea6f7757c71d8b6a218f4b179c44d32487fd7127d2e3701bcc67d211840c214e5986f609e18ba33d01a271f8f163a45e2108935d1d475046d
SSDEEP

12288:YPUrHQD3AQlabjnJnIP5BfjdXmwmwGsqp/UAQQf9y0yaln2qnqGG41I9SOHlhCUC:YsTjTNebdhmMov1Cc0zdQL98hpyX

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

drkcmt.no-ip.org:1604

Mutex

DC_MUTEX-XRH4NSY

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
WY7jPoPv6hlA
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Targets

- Target
  
  JaffaCakes118_37969e3e1072e63d7b7cb3a4589da868
- Size
  
  1.0MB
- MD5
  
  37969e3e1072e63d7b7cb3a4589da868
- SHA1
  
  7322c4e785f823a88bac1a1905b6a9552a813ff6
- SHA256
  
  bffdb13b50fb76a4e85e4e027e166271dbe2cc9ccaf19fbff4ba8cfeeb6ea297
- SHA512
  
  9b20b52d83a740cea6f7757c71d8b6a218f4b179c44d32487fd7127d2e3701bcc67d211840c214e5986f609e18ba33d01a271f8f163a45e2108935d1d475046d
- SSDEEP
  
  12288:YPUrHQD3AQlabjnJnIP5BfjdXmwmwGsqp/UAQQf9y0yaln2qnqGG41I9SOHlhCUC:YsTjTNebdhmMov1Cc0zdQL98hpyX
Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16defense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometguest16defense_evasiondiscoverypersistencerattrojan