darkcomet | 3b2f71e5570d5c609bebf61fd2e9975fb1e5f3243013284fc6cb3a04b763d704 | Triage

Submit
Reports

Overview

overview

Static

static

3

1bd241a838...18.exe

windows7-x64

1bd241a838...18.exe

windows10-2004-x64

Sharing

General

Target

1bd241a838e2a5c6a90fbb18c7df6872_JaffaCakes118
Size

2.4MB
Sample

240701-vqhltatdjj
MD5

1bd241a838e2a5c6a90fbb18c7df6872
SHA1

c2e201a59b4e5596b30471636d6a39ff5eb20863
SHA256

3b2f71e5570d5c609bebf61fd2e9975fb1e5f3243013284fc6cb3a04b763d704
SHA512

8366159cab9e990628630a88ea3f07a43b7f670c2b58838a3f7a2da92d5fc3d6227cbcc19b8a18af08c65f63b288181dd4aae585650d669c324d156418dfc0e4
SSDEEP

49152:HkbHiSRFfrG+palCHHvZgWe7UoJJeIS3e:

Score

10^/10

darkcomet bootkit evasion persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1bd241a838e2a5c6a90fbb18c7df6872_JaffaCakes118.exe

Resource

win7-20240221-en

darkcomet bootkit evasion persistence rat trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

1bd241a838e2a5c6a90fbb18c7df6872_JaffaCakes118.exe

Resource

win10v2004-20240226-en

darkcomet bootkit evasion persistence rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  1bd241a838e2a5c6a90fbb18c7df6872_JaffaCakes118
- Size
  
  2.4MB
- MD5
  
  1bd241a838e2a5c6a90fbb18c7df6872
- SHA1
  
  c2e201a59b4e5596b30471636d6a39ff5eb20863
- SHA256
  
  3b2f71e5570d5c609bebf61fd2e9975fb1e5f3243013284fc6cb3a04b763d704
- SHA512
  
  8366159cab9e990628630a88ea3f07a43b7f670c2b58838a3f7a2da92d5fc3d6227cbcc19b8a18af08c65f63b288181dd4aae585650d669c324d156418dfc0e4
- SSDEEP
  
  49152:HkbHiSRFfrG+palCHHvZgWe7UoJJeIS3e:
Score

10^/10

darkcomet bootkit evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcometbootkitevasionpersistencerattrojan

behavioral2

darkcometbootkitevasionpersistencerattrojan

© 2018-2024

Terms | Privacy