darkcomet | 3cbc9b41401095ccc877ec866f387876a25d0ccf3ea3659aedce7c7ffa3c95ad | Triage

Sharing

General

Target

JaffaCakes118_886d2ab795acf2e409ada4ddad9afcd8
Size

1.2MB
Sample

250324-g78mnsvmz4
MD5

886d2ab795acf2e409ada4ddad9afcd8
SHA1

3048dd563a1cc0db500a83ddd7f22408f829ae9f
SHA256

3cbc9b41401095ccc877ec866f387876a25d0ccf3ea3659aedce7c7ffa3c95ad
SHA512

cd16000642d43a905ee11bc910191059d705d296722b67795ac29e372931d73766d0e6a573b27e6414cc58e916ec6bbed51022d354ee8772fd11a8d72b93d401
SSDEEP

12288:6i+f6X7fq6LEXuaAPYchSmOyYJFUS61xbnnI5fCKPMVnGRsEV8W3Vb1Qz+XAkGpM:v+fw7SrnUv/T4a6MzBkoX9c9F

Score

10^/10

darkcomet hf defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

aimbot.no-ip.org:1604

127.0.0.1:1604

192.168.1.110:1604

Mutex

DC_MUTEX-CCKCWAR

Attributes

InstallPath
java32\java.exe
gencode
XSQRPAVCy1NH
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Targets

- Target
  
  JaffaCakes118_886d2ab795acf2e409ada4ddad9afcd8
- Size
  
  1.2MB
- MD5
  
  886d2ab795acf2e409ada4ddad9afcd8
- SHA1
  
  3048dd563a1cc0db500a83ddd7f22408f829ae9f
- SHA256
  
  3cbc9b41401095ccc877ec866f387876a25d0ccf3ea3659aedce7c7ffa3c95ad
- SHA512
  
  cd16000642d43a905ee11bc910191059d705d296722b67795ac29e372931d73766d0e6a573b27e6414cc58e916ec6bbed51022d354ee8772fd11a8d72b93d401
- SSDEEP
  
  12288:6i+f6X7fq6LEXuaAPYchSmOyYJFUS61xbnnI5fCKPMVnGRsEV8W3Vb1Qz+XAkGpM:v+fw7SrnUv/T4a6MzBkoX9c9F
Score

10^/10

darkcomet hf defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomethfdefense_evasiondiscoverypersistencerattrojan

behavioral2

darkcomethfdefense_evasiondiscoverypersistencerattrojan