darkcomet | 07369156178ba6f590d73e7bf4b65e905a982fc5e71cb4c58d2f3ca4f75e4748 | Triage

Submit
Reports

Overview

overview

Static

static

3

1eb4f63681...18.exe

windows7-x64

1eb4f63681...18.exe

windows10-2004-x64

Sharing

General

Target

1eb4f6368114de35712e3877a11244a1_JaffaCakes118
Size

297KB
Sample

240702-ktx6kavelc
MD5

1eb4f6368114de35712e3877a11244a1
SHA1

fd3b3d3c5b2e0f4a581d816779be8a39de77c41a
SHA256

07369156178ba6f590d73e7bf4b65e905a982fc5e71cb4c58d2f3ca4f75e4748
SHA512

be8b84d63f44201e36b9a61e660adb7cdede8a8be57c8e44896aa69707d16fbfe36b82f8730232fecce75b27fdf5ddcfe5723a4b7c57a49d3f096e0ba08fb7cd
SSDEEP

6144:cympJy59MG872XFaVTvo09tRN6uLWidOEtO2Asc7o9zzKMDVQ1:FOPGYc2U0XRN6gWh8O2h/9zzKMDVQ1

Score

10^/10

darkcomet gagze evasion persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1eb4f6368114de35712e3877a11244a1_JaffaCakes118.exe

Resource

win7-20240221-en

darkcomet gagze evasion persistence rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

1eb4f6368114de35712e3877a11244a1_JaffaCakes118.exe

Resource

win10v2004-20240508-en

darkcomet gagze evasion persistence rat trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

darkcomet

Botnet

Gagze

C2

abdodo.no-ip.org:100

Mutex

DC_MUTEX-V6608W1

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
G31Xw9jA2Vip
install
true
offline_keylogger
true
password
123456789
persistence
true
reg_key
MicroUpdate

Targets

- Target
  
  1eb4f6368114de35712e3877a11244a1_JaffaCakes118
- Size
  
  297KB
- MD5
  
  1eb4f6368114de35712e3877a11244a1
- SHA1
  
  fd3b3d3c5b2e0f4a581d816779be8a39de77c41a
- SHA256
  
  07369156178ba6f590d73e7bf4b65e905a982fc5e71cb4c58d2f3ca4f75e4748
- SHA512
  
  be8b84d63f44201e36b9a61e660adb7cdede8a8be57c8e44896aa69707d16fbfe36b82f8730232fecce75b27fdf5ddcfe5723a4b7c57a49d3f096e0ba08fb7cd
- SSDEEP
  
  6144:cympJy59MG872XFaVTvo09tRN6uLWidOEtO2Asc7o9zzKMDVQ1:FOPGYc2U0XRN6gWh8O2h/9zzKMDVQ1
Score

10^/10

darkcomet gagze evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

darkcometgagzeevasionpersistencerattrojan

behavioral2

darkcometgagzeevasionpersistencerattrojan

© 2018-2024

Terms | Privacy