ID | X0004 |
Type | Keylogger, Screen Capture, Trojan |
Aliases | None |
Platforms | Windows |
Year | 2008 |
Associated ATT&CK Software | DarkComet |
A Remote Access Trojan (RAT) that allows a user to control the system via a GUI. It has many features which allows a user to use it as administrative remote help tool; however, DarkComet has many features which can be used maliciously. DarkComet is commonly used to spy on the victims by taking screen captures, key-logging, or password stealing. [1]
Name | Use |
---|---|
Collection::Clipboard Data (T1115) | The malware reads clipboard data. [4] |
Defense Evasion::Hide Artifacts::Hidden Window (T1564.003) | The malware hides a graphical window. [4] |
Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks (T1497.002) | The malware checks for an unmoving mouse cursor. [4] |
Discovery::Application Window Discovery (T1010) | The malware enumerates GUI resources. [4] |
Discovery::Process Discovery (T1057) | The malware gets process heap force flags. [4] |
Discovery::System Location Discovery (T1614) | The malware gets the geographical location. [4] |
Discovery::System Location Discovery::System Language Discovery (T1614.001) | The malware gets the keyboard layout. [4] |
Execution::Shared Modules (T1129) | The malware parses PE headers. [4] |
See ATT&CK: Dark Comet - Techniques Used.
Name | Use |
---|---|
Collection::Keylogging (F0002) | DarkComet can capture keystrokes. [2] |
Collection::Keylogging::Polling (F0002.002) | DarkComet logs keystrokes via polling. [4] |
Collection::Screen Capture (E1113) | DarkComet can take screenshots of victim's computer. [2] |
Collection::Screen Capture::WinAPI (E1113.m01) | DarkComet captures screenshots. [4] |
Persistence::Registry Run Keys / Startup Folder (F0012) | DarkComet adds several registry entries to enable automatic execution at startup. [2] |
Defense Evasion::Indicator Blocking (F0006) | DarkComet can disable security center functions like anti-virus and firewall. [2] |
Command and Control::Ingress Tool Transfer (E1105) | DarkComet can download files from remote repository upon instruction. [2] |
Anti-Static Analysis::Software Packing (F0001) | DarkComet has the option to compress its payload using UPX or MPRESS. [2] |
Discovery::System Information Discovery (E1082) | DarkComet can collect information about the computer, resources, and operating system version and get disk size. [2] [4] |
Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) | DarkComet encodes data using XOR. [4] |
Discovery::Application Window Discovery::Window Text (E1010.m01) | DarkComet gets graphical window text. [4] |
Impact::Clipboard Modification (E1510) | DarkComet writes clipboard data. [4] |
Discovery::File and Directory Discovery (E1083) | DarkComet gets file version info. [4] |
Execution::Command and Scripting Interpreter (E1059) | DarkComet accepts command line arguments. [4] |
SHA256 Hashes
- 0369aa99d731d2de260bc63b6c4f85d997eb189155c362df478d8f5afaa655b0
- 0bb88564a22bfd6d9ad6e4d8efa9077792a7b6094c2a0f865d70c43e11507352
[1] https://en.wikipedia.org/wiki/DarkComet
[2] https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
[3] https://bazaar.abuse.ch/browse/signature/DarkComet/
[4] capa v4.0, analyzed at MITRE on 10/12/2022