darkcomet | 9f7cab4bb3626ee48f42c80a8eab83e3745e22e7a08bf34607a5f9191903dfac | Triage

Sharing

General

Target

JaffaCakes118_94b0bd065fb4e2c04e75a6508580d247
Size

714KB
Sample

250329-x5xqds1ygy
MD5

94b0bd065fb4e2c04e75a6508580d247
SHA1

e4f3b94c4587c7a040a635572b96d1e8c181c9db
SHA256

9f7cab4bb3626ee48f42c80a8eab83e3745e22e7a08bf34607a5f9191903dfac
SHA512

628ae8e07ed2908127a5830e620b68be92769251b0c4f22a596efdd3d6d14289e5618a83318dcce6864f0aff76b45838668abd69923ccd4a1845717dc613f6b8
SSDEEP

12288:CaAchpWsuVTv7ItY8XljyypHP7cOLBev03hlULsmWZ++09ZBKDVsgdh:TAEENIq8XwyVPQclDq/+WipsSh

Score

10^/10

darkcomet victim defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

victim

C2

rat-h4ck3r.no-ip.org:555

Mutex

DC_MUTEX-0TP756A

Attributes

InstallPath
windows\svchost.exe
gencode
u�x=Zm4rPgF=
install
true
offline_keylogger
true
password
Schlange22
persistence
false
reg_key
Hostprozess f�r Windows-Dienste

rc4.plain

Targets

- Target
  
  JaffaCakes118_94b0bd065fb4e2c04e75a6508580d247
- Size
  
  714KB
- MD5
  
  94b0bd065fb4e2c04e75a6508580d247
- SHA1
  
  e4f3b94c4587c7a040a635572b96d1e8c181c9db
- SHA256
  
  9f7cab4bb3626ee48f42c80a8eab83e3745e22e7a08bf34607a5f9191903dfac
- SHA512
  
  628ae8e07ed2908127a5830e620b68be92769251b0c4f22a596efdd3d6d14289e5618a83318dcce6864f0aff76b45838668abd69923ccd4a1845717dc613f6b8
- SSDEEP
  
  12288:CaAchpWsuVTv7ItY8XljyypHP7cOLBev03hlULsmWZ++09ZBKDVsgdh:TAEENIq8XwyVPQclDq/+WipsSh
Score

10^/10

darkcomet victim defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Windows security bypass
  defense_evasion trojan
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

victimdarkcomet

behavioral1

darkcometvictimdefense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometvictimdefense_evasiondiscoverypersistencerattrojan