Skip to content

Latest commit

 

History

History
110 lines (93 loc) · 8.25 KB

dark-comet.md

File metadata and controls

110 lines (93 loc) · 8.25 KB
Raw
ID X0004
Type Keylogger, Screen Capture, Trojan
Aliases None
Platforms Windows
Year 2008
Associated ATT&CK Software DarkComet

Dark Comet

A Remote Access Trojan (RAT) that allows a user to control the system via a GUI. It has many features which allows a user to use it as administrative remote help tool; however, DarkComet has many features which can be used maliciously. DarkComet is commonly used to spy on the victims by taking screen captures, key-logging, or password stealing. [1]

ATT&CK Techniques

Name Use
Collection::Clipboard Data (T1115) The malware reads clipboard data. [4]
Defense Evasion::Hide Artifacts::Hidden Window (T1564.003) The malware hides a graphical window. [4]
Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks (T1497.002) The malware checks for an unmoving mouse cursor. [4]
Discovery::Application Window Discovery (T1010) The malware enumerates GUI resources. [4]
Discovery::Process Discovery (T1057) The malware gets process heap force flags. [4]
Discovery::System Location Discovery (T1614) The malware gets the geographical location. [4]
Discovery::System Location Discovery::System Language Discovery (T1614.001) The malware gets the keyboard layout. [4]
Execution::Shared Modules (T1129) The malware parses PE headers. [4]

See ATT&CK: Dark Comet - Techniques Used.

Enhanced ATT&CK Techniques

Name Use
Collection::Keylogging (F0002) DarkComet can capture keystrokes. [2]
Collection::Keylogging::Polling (F0002.002) DarkComet logs keystrokes via polling. [4]
Collection::Screen Capture (E1113) DarkComet can take screenshots of victim's computer. [2]
Collection::Screen Capture::WinAPI (E1113.m01) DarkComet captures screenshots. [4]
Persistence::Registry Run Keys / Startup Folder (F0012) DarkComet adds several registry entries to enable automatic execution at startup. [2]
Defense Evasion::Indicator Blocking (F0006) DarkComet can disable security center functions like anti-virus and firewall. [2]
Command and Control::Ingress Tool Transfer (E1105) DarkComet can download files from remote repository upon instruction. [2]
Anti-Static Analysis::Software Packing (F0001) DarkComet has the option to compress its payload using UPX or MPRESS. [2]
Discovery::System Information Discovery (E1082) DarkComet can collect information about the computer, resources, and operating system version and get disk size. [2] [4]
Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) DarkComet encodes data using XOR. [4]
Discovery::Application Window Discovery::Window Text (E1010.m01) DarkComet gets graphical window text. [4]
Impact::Clipboard Modification (E1510) DarkComet writes clipboard data. [4]
Discovery::File and Directory Discovery (E1083) DarkComet gets file version info. [4]
Execution::Command and Scripting Interpreter (E1059) DarkComet accepts command line arguments. [4]

MBC Behaviors

Name Use
Impact::Remote Access (B0022) DarkComet allows an attacker to control the system via a GUI. [1]
Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount (B0001.032) DarkComet checks for a time delay via GetTickCount. [4]
Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check (B0009.012) DarkComet checks for an unmoving mouse cursor. [4]
Cryptography::Encrypt Data::RC4 (C0027.009) DarkComet encrypts data using RC4 PRGA. [4]
Data::Checksum::CRC32 (C0032.001) DarkComet hashes data with CRC32. [4]
Data::Compression Library (C0060) DarkComet linked against ZLIB. [4]
Data::Encode Data::XOR (C0026.002) DarkComet encodes data using XOR. [4]
Discovery::Code Discovery::Enumerate PE Sections (B0046.001) DarkComet enumerates PE sections. [4]
Execution::Install Additional Program (B0023) DarkComet contains an embedded PE file. [4]
File System::Delete File (C0047) DarkComet deletes files. [4]
File System::Get File Attributes (C0049) DarkComet gets file attributes. [4]
File System::Read File (C0051) DarkComet reads files on Windows. [4]
File System::Write File (C0052) DarkComet writes Fileon Windows. [4]
Memory::Allocate Memory (C0007) DarkComet allocates RWX memory. [4]
Operating System::Registry::Delete Registry Key (C0036.002) DarkComet deletes registry keys. [4]
Operating System::Registry::Delete Registry Value (C0036.007) DarkComet deletes registry values. [4]
Operating System::Registry::Query Registry Key (C0036.005) DarkComet queries or enumerates registry keys. [4]
Operating System::Registry::Query Registry Value (C0036.006) DarkComet queries or enumerates registry values. [4]
Operating System::Registry::Set Registry Key (C0036.001) DarkComet sets registry values. [4]
Process::Create Process (C0017) DarkComet creates a process on Windows. [4]
Process::Create Thread (C0038) DarkComet creates a thread. [4]
Process::Resume Thread (C0054) DarkComet resumes a thread. [4]
Process::Set Thread Local Storage Value (C0041) DarkComet set thread local storage values. [4]
Process::Suspend Thread (C0055) DarkComet suspends threads. [4]

Indicators of Compromise

SHA256 Hashes

  • 0369aa99d731d2de260bc63b6c4f85d997eb189155c362df478d8f5afaa655b0
  • 0bb88564a22bfd6d9ad6e4d8efa9077792a7b6094c2a0f865d70c43e11507352

References

[1] https://en.wikipedia.org/wiki/DarkComet

[2] https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/

[3] https://bazaar.abuse.ch/browse/signature/DarkComet/

[4] capa v4.0, analyzed at MITRE on 10/12/2022