darkcomet | 18d52aeaa59125375425cf062ea0ad69f2e90fdd02ef30c5af79ccd566490cfb | Triage

Sharing

General

Target

JaffaCakes118_857aeabedfb0c621ea49fe81c9458060
Size

686KB
Sample

250322-b4vnrayqs7
MD5

857aeabedfb0c621ea49fe81c9458060
SHA1

e2b5ea100aca8e27b09205975f1a61184022348c
SHA256

18d52aeaa59125375425cf062ea0ad69f2e90fdd02ef30c5af79ccd566490cfb
SHA512

db27e70ef061a6b2790d633f66038a41fc2bc31fbd04349cd7eecd3994164c034d4bee8982f3f8157a473e0b4d779feba50f130a5c74c26d09dac4180f672b69
SSDEEP

12288:pXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UF:VnAw2WWeFcfbP9VPSPMTSPL/rWvzq4J1

Score

10^/10

darkcomet victime defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victime

C2

inyourfaaace.no-ip.org:81

Mutex

DC_MUTEX-AQVBRQF

Attributes

InstallPath
MSDCSC\Setup.exe
gencode
vu9y6SRjoEjp
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

rc4.plain

Targets

- Target
  
  JaffaCakes118_857aeabedfb0c621ea49fe81c9458060
- Size
  
  686KB
- MD5
  
  857aeabedfb0c621ea49fe81c9458060
- SHA1
  
  e2b5ea100aca8e27b09205975f1a61184022348c
- SHA256
  
  18d52aeaa59125375425cf062ea0ad69f2e90fdd02ef30c5af79ccd566490cfb
- SHA512
  
  db27e70ef061a6b2790d633f66038a41fc2bc31fbd04349cd7eecd3994164c034d4bee8982f3f8157a473e0b4d779feba50f130a5c74c26d09dac4180f672b69
- SSDEEP
  
  12288:pXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UF:VnAw2WWeFcfbP9VPSPMTSPL/rWvzq4J1
Score

10^/10

darkcomet victime defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  defense_evasion
- Modifies security service
  defense_evasion
- Windows security bypass
  defense_evasion trojan
- Disables Task Manager via registry modification
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

victimedarkcomet

behavioral1

darkcometvictimedefense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometvictimedefense_evasiondiscoverypersistencerattrojan