darkcomet | 59cbbf75b3574b87278ee1be6c4a7ee054baedcf8758e91159d5cc63ae2ce302 | Triage

Sharing

General

Target

JaffaCakes118_b1ef6f501989c45f8ac0c5b83023099c
Size

659KB
Sample

250412-mdhr2sspv2
MD5

b1ef6f501989c45f8ac0c5b83023099c
SHA1

87f321ab9b6e9859e0e4e588bacf8e0ae5926ef3
SHA256

59cbbf75b3574b87278ee1be6c4a7ee054baedcf8758e91159d5cc63ae2ce302
SHA512

d231e746991ac7e7436a55b1e63dcf7ee73f25bbb70a6f53511b5de2865b6205a407ef2a45479c3569fdad13a1706485dcd05505b1cdc40ad4bf3567e7a954c2
SSDEEP

12288:iOANXryu1S69QwWBIlVi4o858nFBKgmvtOwUATgDQRo:DANOCS6qwWB0V5o8mnqvtrdgDQS

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

unknownservice.no-ip.org:1604

Mutex

DC_MUTEX-R1Z8FUN

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
*ii4CJSyrgqJ
install
true
offline_keylogger
true
persistence
true
reg_key
winupdater

rc4.plain

Targets

- Target
  
  JaffaCakes118_b1ef6f501989c45f8ac0c5b83023099c
- Size
  
  659KB
- MD5
  
  b1ef6f501989c45f8ac0c5b83023099c
- SHA1
  
  87f321ab9b6e9859e0e4e588bacf8e0ae5926ef3
- SHA256
  
  59cbbf75b3574b87278ee1be6c4a7ee054baedcf8758e91159d5cc63ae2ce302
- SHA512
  
  d231e746991ac7e7436a55b1e63dcf7ee73f25bbb70a6f53511b5de2865b6205a407ef2a45479c3569fdad13a1706485dcd05505b1cdc40ad4bf3567e7a954c2
- SSDEEP
  
  12288:iOANXryu1S69QwWBIlVi4o858nFBKgmvtOwUATgDQRo:DANOCS6qwWB0V5o8mnqvtrdgDQS
Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Windows security bypass
  defense_evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

guest16darkcomet

behavioral1

darkcometguest16defense_evasiondiscoverypersistencerattrojan