darkcomet | 1bc3088494944f59c99d118c27d185286905e137259e98de721dd439a6e2e662 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

7

JaffaCakes...e5.exe

windows7-x64

JaffaCakes...e5.exe

windows10-2004-x64

7

Sharing

General

Target

JaffaCakes118_86d9e56c3e555dc6030998cf95259be5
Size

1.6MB
Sample

250322-vpvjzsxtfx
MD5

86d9e56c3e555dc6030998cf95259be5
SHA1

8a9df020ac0f32b55016919bfaa00abbe559763b
SHA256

1bc3088494944f59c99d118c27d185286905e137259e98de721dd439a6e2e662
SHA512

c6b120315240cc9671fb0c4d91fd9007e0272317d70fe3f4a9b174402986fd6fb1bfb407b0551ac1e16868afa6a3df3424a9263492c323bd4bc17cf9b4609315
SSDEEP

24576:/+DraMOVm++uBIWvr8KpP3e6DftzhJYoj/PAQS1wpWD5TBELMNMhpXTSF74fB8kk:GDtOVmruBr8K1e6D2oIB1w0F9aFBbN

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_86d9e56c3e555dc6030998cf95259be5.exe

Resource

win7-20240903-en

darkcomet guest16 defense_evasion discovery persistence rat themida trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_86d9e56c3e555dc6030998cf95259be5.exe

Resource

win10v2004-20250314-en

defense_evasion discovery themida

windows10-2004-x64

3 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.1.96:1337

Mutex

DC_MUTEX-WUDUVMN

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
DA7q.hvWq�Sa
install
true
offline_keylogger
false
persistence
true
reg_key
winupdater

rc4.plain

Targets

- Target
  
  JaffaCakes118_86d9e56c3e555dc6030998cf95259be5
- Size
  
  1.6MB
- MD5
  
  86d9e56c3e555dc6030998cf95259be5
- SHA1
  
  8a9df020ac0f32b55016919bfaa00abbe559763b
- SHA256
  
  1bc3088494944f59c99d118c27d185286905e137259e98de721dd439a6e2e662
- SHA512
  
  c6b120315240cc9671fb0c4d91fd9007e0272317d70fe3f4a9b174402986fd6fb1bfb407b0551ac1e16868afa6a3df3424a9263492c323bd4bc17cf9b4609315
- SSDEEP
  
  24576:/+DraMOVm++uBIWvr8KpP3e6DftzhJYoj/PAQS1wpWD5TBELMNMhpXTSF74fB8kk:GDtOVmruBr8K1e6D2oIB1w0F9aFBbN
Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat themida trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  defense_evasion
- Windows security bypass
  defense_evasion trojan
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16defense_evasiondiscoverypersistenceratthemidatrojan

behavioral2

defense_evasiondiscoverythemida

© 2018-2025

Terms | Privacy