darkcomet | 4978b8076bd7866b45ca19592ad9821daed644a68ab8764c643f425e9d1f5d8b | Triage

Sharing

General

Target

JaffaCakes118_485a272796045e7e6354030591b5b94a
Size

3.4MB
Sample

250303-wqsmfsvlv8
MD5

485a272796045e7e6354030591b5b94a
SHA1

765c508e48a7e53dcd48c1f12c6bf99c40d70182
SHA256

4978b8076bd7866b45ca19592ad9821daed644a68ab8764c643f425e9d1f5d8b
SHA512

343cac056737023b8e310bb53e6b1d11da9cf7fbf12c5770e2643aefe123e1f812a625bb1b1fde6aebc1884c9fd46e2be2a9d9af61360ead50998893bcac1ab9
SSDEEP

49152:AFZAqr50gmb1vLyMDX0AeuRzZqgV6f2QPNcOtViqNdUyyiKQWVxxtvD3DzBQS48K:2r5w2Mk89qgVmDP2yyiKQExZD3JQSUhv

Score

10^/10

darkcomet victim 1 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Extracted

Family

darkcomet

Botnet

victim 1

C2

46.109.72.92:1604

46.109.73.7:1604

ratty.no-ip.biz:1604

Mutex

DC_MUTEX-WN7E01P

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
ywx7hgBlyfX9
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Targets

- Target
  
  JaffaCakes118_485a272796045e7e6354030591b5b94a
- Size
  
  3.4MB
- MD5
  
  485a272796045e7e6354030591b5b94a
- SHA1
  
  765c508e48a7e53dcd48c1f12c6bf99c40d70182
- SHA256
  
  4978b8076bd7866b45ca19592ad9821daed644a68ab8764c643f425e9d1f5d8b
- SHA512
  
  343cac056737023b8e310bb53e6b1d11da9cf7fbf12c5770e2643aefe123e1f812a625bb1b1fde6aebc1884c9fd46e2be2a9d9af61360ead50998893bcac1ab9
- SSDEEP
  
  49152:AFZAqr50gmb1vLyMDX0AeuRzZqgV6f2QPNcOtViqNdUyyiKQWVxxtvD3DzBQS48K:2r5w2Mk89qgVmDP2yyiKQExZD3JQSUhv
Score

10^/10

darkcomet victim 1 defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometvictim 1defense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometvictim 1defense_evasiondiscoverypersistencerattrojan