darkcomet | 8a5ae549f49aa6ccdf799dffac687f313078d064d65cd650aa92963f90c75afc | Triage

Sharing

General

Target

JaffaCakes118_383c7631dffe21f68470bb2b119eb5f5
Size

747KB
Sample

250301-lqny6axvhs
MD5

383c7631dffe21f68470bb2b119eb5f5
SHA1

498c4206435c79bcb0fb7bb8250d38d0e0b2c7c6
SHA256

8a5ae549f49aa6ccdf799dffac687f313078d064d65cd650aa92963f90c75afc
SHA512

bfa80054db09915817599fc3d0cf1f68f096da5897478326e691d7f6596ff9c51d7f90736f8fead26bcf70d9e855d84e5fc515f8595a28684f03be194799f8be
SSDEEP

12288:36A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfhkPgx:qAmBpVKHu0Mu9Xo20VGLVP5N

Score

10^/10

darkcomet nooby defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

nooby

C2

twidz.sytes.net:1604

Mutex

DC_MUTEX-70JEKY8

Attributes

InstallPath
drivers\etc\hosts.exe
gencode
2*9Gqb/dxoL3
install
true
offline_keylogger
true
persistence
true
reg_key
hosts

rc4.plain

Targets

- Target
  
  JaffaCakes118_383c7631dffe21f68470bb2b119eb5f5
- Size
  
  747KB
- MD5
  
  383c7631dffe21f68470bb2b119eb5f5
- SHA1
  
  498c4206435c79bcb0fb7bb8250d38d0e0b2c7c6
- SHA256
  
  8a5ae549f49aa6ccdf799dffac687f313078d064d65cd650aa92963f90c75afc
- SHA512
  
  bfa80054db09915817599fc3d0cf1f68f096da5897478326e691d7f6596ff9c51d7f90736f8fead26bcf70d9e855d84e5fc515f8595a28684f03be194799f8be
- SSDEEP
  
  12288:36A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfhkPgx:qAmBpVKHu0Mu9Xo20VGLVP5N
Score

10^/10

darkcomet nooby defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  defense_evasion
- Modifies security service
  defense_evasion
- Windows security bypass
  defense_evasion trojan
- Disables RegEdit via registry modification
  defense_evasion
- Disables Task Manager via registry modification
  defense_evasion
- Drops file in Drivers directory
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometnoobydefense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometnoobydefense_evasiondiscoverypersistencerattrojan