darkcomet | 1f80d1af672a300c2704a261ba05c5cfb2dbbbb934749fdd26a7099a58259f77 | Triage

Sharing

General

Target

JaffaCakes118_bbf7c96e37e67baf7969a1ef0002a403
Size

764KB
Sample

250418-bsyahaxyht
MD5

bbf7c96e37e67baf7969a1ef0002a403
SHA1

5e1e6e63e3da11b4c4f0c8429e424d99fe354f8a
SHA256

1f80d1af672a300c2704a261ba05c5cfb2dbbbb934749fdd26a7099a58259f77
SHA512

268d13a2032df9290c7e18f9345ed7f885a8c80037a52b521e976ab76485c6cdc94e74c95495c317c69cffa2d761f532357822ff8089686912fec6ba8bf424e1
SSDEEP

12288:XZeVQkTrvj4r6/nZXDm3ynq9OotqFP4G8erVnj1O61WltQOjuLkEsjfhNcMvC:XwQkTf4r69TiOoCeej1l1WltjrrIqC

Score

10^/10

darkcomet my server discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

My server

C2

192.168.12.4:36049

Mutex

DC_MUTEX-8DYRWVQ

Attributes

InstallPath
ransdWindupdt\windowz.exe
gencode
B3a1qL*Pj1PT
install
true
offline_keylogger
true
password
sopwenv1
persistence
false
reg_key
winupdater

rc4.plain

Targets

- Target
  
  JaffaCakes118_bbf7c96e37e67baf7969a1ef0002a403
- Size
  
  764KB
- MD5
  
  bbf7c96e37e67baf7969a1ef0002a403
- SHA1
  
  5e1e6e63e3da11b4c4f0c8429e424d99fe354f8a
- SHA256
  
  1f80d1af672a300c2704a261ba05c5cfb2dbbbb934749fdd26a7099a58259f77
- SHA512
  
  268d13a2032df9290c7e18f9345ed7f885a8c80037a52b521e976ab76485c6cdc94e74c95495c317c69cffa2d761f532357822ff8089686912fec6ba8bf424e1
- SSDEEP
  
  12288:XZeVQkTrvj4r6/nZXDm3ynq9OotqFP4G8erVnj1O61WltQOjuLkEsjfhNcMvC:XwQkTf4r69TiOoCeej1l1WltjrrIqC
Score

10^/10

darkcomet my server discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometmy serverdiscoverypersistencerattrojan

behavioral2

darkcometmy serverdiscoverypersistencerattrojan