darkcomet | a2cfdbda6ee309edf1c4e9d55316350a7a0a844471d9438b0892e08fc29cf453 | Triage

Sharing

General

Target

JaffaCakes118_85bce2df61498d0626243f28202b9df9
Size

1.1MB
Sample

250322-dwyfsaw1hz
MD5

85bce2df61498d0626243f28202b9df9
SHA1

cdda8ae6c3901cf88ef42706c1f3ce38bf2e3679
SHA256

a2cfdbda6ee309edf1c4e9d55316350a7a0a844471d9438b0892e08fc29cf453
SHA512

255ef9e7e42e18a9f4bcd78958fe8e20103f779a2156fcf82820fe1041652c7ae7bea8819abd09ef4f7937beb63150930447e5dc10b9fa63fd0bf035a69dca7c
SSDEEP

12288:PW/Bv17kMLTTTdfIX1y6hgpcKiaqb7MybKbeLSVNIYntkypxCJfFSzk+wDvCXP52:PkdshJMXiJo7jWy8a1VXiNhbnQ+

Score

10^/10

darkcomet ms-dos defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

ms-dos

C2

pourmoi.zapto.org:2000

pourmoi.zapto.org:200

pourmoi.zapto.org:1604

pourmoi.zapto.org:164

pourmoi.zapto.org:80

Mutex

DC_MUTEX-M5FD2QE

Attributes

gencode
dS$=Gi/U7yGB
install
false
offline_keylogger
true
password
da06101266
persistence
false

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Targets

- Target
  
  JaffaCakes118_85bce2df61498d0626243f28202b9df9
- Size
  
  1.1MB
- MD5
  
  85bce2df61498d0626243f28202b9df9
- SHA1
  
  cdda8ae6c3901cf88ef42706c1f3ce38bf2e3679
- SHA256
  
  a2cfdbda6ee309edf1c4e9d55316350a7a0a844471d9438b0892e08fc29cf453
- SHA512
  
  255ef9e7e42e18a9f4bcd78958fe8e20103f779a2156fcf82820fe1041652c7ae7bea8819abd09ef4f7937beb63150930447e5dc10b9fa63fd0bf035a69dca7c
- SSDEEP
  
  12288:PW/Bv17kMLTTTdfIX1y6hgpcKiaqb7MybKbeLSVNIYntkypxCJfFSzk+wDvCXP52:PkdshJMXiJo7jWy8a1VXiNhbnQ+
Score

10^/10

darkcomet ms-dos defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometms-dosdefense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometms-dosdefense_evasiondiscoverypersistencerattrojan