darkcomet | 3245d67cd64a9be97a430ccd4ac48a280d72b7c9beb6ba17980b9bdf91a7603d | Triage

Sharing

General

Target

JaffaCakes118_3f3f5c7cf9cbb0a95528aa19e54f54d0
Size

1.7MB
Sample

250302-kywtas1sct
MD5

3f3f5c7cf9cbb0a95528aa19e54f54d0
SHA1

5f48c990632dd788c7866e6b051715727119f6cc
SHA256

3245d67cd64a9be97a430ccd4ac48a280d72b7c9beb6ba17980b9bdf91a7603d
SHA512

34a89f4271bf2c8ef2a9411af37ba201420fcecad7db198b30d6ed2b45e910181b08a1a15ad94184085344a7ed2ed22cdae8579ce42a4d4472f724a538992627
SSDEEP

49152:BgEjyITimZT7byfT7byXT7byXT7byaWcbfSE:BXjyyi+XkX0X0XgcbfSE

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

onur11.zapto.org:1604

Mutex

DC_MUTEX-FBBAB9P

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
5R19prkNBt16
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Targets

- Target
  
  JaffaCakes118_3f3f5c7cf9cbb0a95528aa19e54f54d0
- Size
  
  1.7MB
- MD5
  
  3f3f5c7cf9cbb0a95528aa19e54f54d0
- SHA1
  
  5f48c990632dd788c7866e6b051715727119f6cc
- SHA256
  
  3245d67cd64a9be97a430ccd4ac48a280d72b7c9beb6ba17980b9bdf91a7603d
- SHA512
  
  34a89f4271bf2c8ef2a9411af37ba201420fcecad7db198b30d6ed2b45e910181b08a1a15ad94184085344a7ed2ed22cdae8579ce42a4d4472f724a538992627
- SSDEEP
  
  49152:BgEjyITimZT7byfT7byXT7byXT7byaWcbfSE:BXjyyi+XkX0X0XgcbfSE
Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Disables Task Manager via registry modification
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16defense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometguest16defense_evasiondiscoverypersistencerattrojan