darkcomet | fdc4c6e08abd577ef436c0efbaeccfec398adf59bd049820110b8028b6129eac | Triage

Sharing

General

Target

JaffaCakes118_84c7d8597e548caeb258298376c27519
Size

663KB
Sample

250321-z47v3szwes
MD5

84c7d8597e548caeb258298376c27519
SHA1

b5ccbdb78d80af0c91b8378e9c4a2ee4f779f91c
SHA256

fdc4c6e08abd577ef436c0efbaeccfec398adf59bd049820110b8028b6129eac
SHA512

54666ae9801bd95d6482788b8855f85b87aa7d1df00cfd3265407f010f980ad6612b4f7f3c9c444baf06831856431a66b50ccfb3b114d79bc9abdcd7e5e84022
SSDEEP

12288:3pwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/Y:ZwAcu99lPzvxP+Bsz2XjWTRMQckkIXnA

Score

10^/10

darkcomet sbs defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

sbs

C2

127.0.0.1:21

Mutex

DC_MUTEX-D77XKZP

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
cyolL=+r#6rV
install
true
offline_keylogger
true
password
never mind
persistence
true
reg_key
winupdater

rc4.plain

Targets

- Target
  
  JaffaCakes118_84c7d8597e548caeb258298376c27519
- Size
  
  663KB
- MD5
  
  84c7d8597e548caeb258298376c27519
- SHA1
  
  b5ccbdb78d80af0c91b8378e9c4a2ee4f779f91c
- SHA256
  
  fdc4c6e08abd577ef436c0efbaeccfec398adf59bd049820110b8028b6129eac
- SHA512
  
  54666ae9801bd95d6482788b8855f85b87aa7d1df00cfd3265407f010f980ad6612b4f7f3c9c444baf06831856431a66b50ccfb3b114d79bc9abdcd7e5e84022
- SSDEEP
  
  12288:3pwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/Y:ZwAcu99lPzvxP+Bsz2XjWTRMQckkIXnA
Score

10^/10

darkcomet sbs defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Windows security bypass
  defense_evasion trojan
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometsbsdefense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometsbsdiscoverypersistencerattrojan