darkcomet | 37f71d92f06d6db3a5660d2029e0828277f5970942554372c0405eeb5daec278 | Triage

Sharing

General

Target

JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6
Size

792KB
Sample

250418-dzxnnasrx2
MD5

bc5e9d6c42c4a7a8f3e399628b35edc6
SHA1

89467555b70aa69a09f2a9b6068d851bc6da3730
SHA256

37f71d92f06d6db3a5660d2029e0828277f5970942554372c0405eeb5daec278
SHA512

f85ba3ccf4a76412a53d286b8dd6ab02feca4736c27e2b5a6ed6b158543bf5780ceef3c213613727f0b9ddeb267bb5ad1bb79fc70ecc5c2610c7b0ec9624d5ff
SSDEEP

24576:XlvYrG9qagUztjgUVWdxfYEbKQZ87bqeA4L9j/A:eK9qagUO2wO7bXA4

Score

10^/10

darkcomet mooose defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Mooose

C2

masha.zapto.org:1604

Mutex

DC_MUTEX-9HH2WSZ

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
iUjv.BRt=lEN
install
true
offline_keylogger
true
persistence
true
reg_key
winupdater

rc4.plain

Targets

- Target
  
  JaffaCakes118_bc5e9d6c42c4a7a8f3e399628b35edc6
- Size
  
  792KB
- MD5
  
  bc5e9d6c42c4a7a8f3e399628b35edc6
- SHA1
  
  89467555b70aa69a09f2a9b6068d851bc6da3730
- SHA256
  
  37f71d92f06d6db3a5660d2029e0828277f5970942554372c0405eeb5daec278
- SHA512
  
  f85ba3ccf4a76412a53d286b8dd6ab02feca4736c27e2b5a6ed6b158543bf5780ceef3c213613727f0b9ddeb267bb5ad1bb79fc70ecc5c2610c7b0ec9624d5ff
- SSDEEP
  
  24576:XlvYrG9qagUztjgUVWdxfYEbKQZ87bqeA4L9j/A:eK9qagUO2wO7bXA4
Score

10^/10

darkcomet mooose defense_evasion discovery persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  defense_evasion
- Windows security bypass
  defense_evasion trojan
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  defense_evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

darkcometmooosedefense_evasiondiscoverypersistencerattrojan

behavioral2

darkcometmooosedefense_evasiondiscoverypersistencerattrojan