darkcomet | 313647849f5f7c41371e99976f1c2e0a60e2cf3e6f7b8b916b46ef38b3e173c7 | Triage

Sharing

General

Target

JaffaCakes118_b09dd96c8fd3285ecbf79457eac1dd5d
Size

900KB
Sample

250412-bj6khstvgx
MD5

b09dd96c8fd3285ecbf79457eac1dd5d
SHA1

3c1684d18e5bcf062fa7b2ae8bc1ae1b735298e0
SHA256

313647849f5f7c41371e99976f1c2e0a60e2cf3e6f7b8b916b46ef38b3e173c7
SHA512

3e2070ebd197fca4f4da7f3597afe8949cf1765358cef7074837756041b2970339446b2ec0b86350ec18d03a53a7f53b84500625e856f810853b9779c960aaf5
SSDEEP

12288:HX5XfC/zm7TYoBSZPEJMtg7MjX/s5hkcnDVg2cSx/cP+sl5ZAwxaNa3PnGVm54:Hk/aBSBEJMG7JwgD2NiG5n3vO

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

opiate.zapto.org:1984

Mutex

DC_MUTEX-N00F7NG

Attributes

gencode
pM9ElB*F%/MM
install
false
offline_keylogger
false
persistence
false

rc4.plain

Targets

- Target
  
  JaffaCakes118_b09dd96c8fd3285ecbf79457eac1dd5d
- Size
  
  900KB
- MD5
  
  b09dd96c8fd3285ecbf79457eac1dd5d
- SHA1
  
  3c1684d18e5bcf062fa7b2ae8bc1ae1b735298e0
- SHA256
  
  313647849f5f7c41371e99976f1c2e0a60e2cf3e6f7b8b916b46ef38b3e173c7
- SHA512
  
  3e2070ebd197fca4f4da7f3597afe8949cf1765358cef7074837756041b2970339446b2ec0b86350ec18d03a53a7f53b84500625e856f810853b9779c960aaf5
- SSDEEP
  
  12288:HX5XfC/zm7TYoBSZPEJMtg7MjX/s5hkcnDVg2cSx/cP+sl5ZAwxaNa3PnGVm54:Hk/aBSBEJMG7JwgD2NiG5n3vO
Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Windows security bypass
  defense_evasion trojan
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometguest16defense_evasiondiscoverypersistencerattrojan