darkcomet | d1d2310532bcab2d6e6e3df9c2c8fe80e6770bb9023d3ec2faa2d0cca44345d1 | Triage

Sharing

General

Target

JaffaCakes118_bff04a6789b9d9818531e5425439857a
Size

900KB
Sample

250418-1xm3rszjy8
MD5

bff04a6789b9d9818531e5425439857a
SHA1

9dc5aa71a2cc30d19499abffa8b8bb476490341c
SHA256

d1d2310532bcab2d6e6e3df9c2c8fe80e6770bb9023d3ec2faa2d0cca44345d1
SHA512

8877a96047da6505a8a4615259bca48fa0e68ff48d62cd5fe2f7df290f0ac53b4ee056feaaa2c57043ef99800826df747b549efcb2004f0b2b7391c85e222c02
SSDEEP

12288:hX5XfC/zm7TYoBSZPEJMtg7MjX/s5hkcnDVg2cSx/cP+sl5ZAwxaNa3PnGVm54:hk/aBSBEJMG7JwgD2NiG5n3vO

Score

10^/10

darkcomet hackftw discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

hackftw

C2

hackingftw.no-ip.org:1324

Mutex

DC_MUTEX-A4S0HZ5

Attributes

InstallPath
system32\winlogon.exe
gencode
MrTTiB2tmghE
install
true
offline_keylogger
true
password
Marmir1212!
persistence
false
reg_key
winlogon

rc4.plain

Targets

- Target
  
  JaffaCakes118_bff04a6789b9d9818531e5425439857a
- Size
  
  900KB
- MD5
  
  bff04a6789b9d9818531e5425439857a
- SHA1
  
  9dc5aa71a2cc30d19499abffa8b8bb476490341c
- SHA256
  
  d1d2310532bcab2d6e6e3df9c2c8fe80e6770bb9023d3ec2faa2d0cca44345d1
- SHA512
  
  8877a96047da6505a8a4615259bca48fa0e68ff48d62cd5fe2f7df290f0ac53b4ee056feaaa2c57043ef99800826df747b549efcb2004f0b2b7391c85e222c02
- SSDEEP
  
  12288:hX5XfC/zm7TYoBSZPEJMtg7MjX/s5hkcnDVg2cSx/cP+sl5ZAwxaNa3PnGVm54:hk/aBSBEJMG7JwgD2NiG5n3vO
Score

10^/10

darkcomet hackftw discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcomethackftwdiscoverypersistencerattrojan

behavioral2

darkcomethackftwdiscoverypersistencerattrojan