This article provides an in-depth analysis of the DarkComet Backdoor malware, focusing on its functionality, methods of persistence, and the creation of detection rules using Sigma and YARA. By conducting both static and dynamic analysis, the author highlights the malware’s command-and-control behavior, file execution strategies, and various indicators of compromise. The findings indicate that the malware utilizes Windows privilege escalation techniques and employs stealth methods to evade detection. Affected: DarkComet Backdoor, Windows environment
Keypoints :
- The article examines the DarkComet Backdoor and its various attack techniques.
- Static and dynamic analyses were conducted to uncover malware behaviors.
- Detection rules for Sigma and YARA are developed for the malware.
- The malware uses a tool for privilege escalation and injections.
- Indicators of compromise were identified, including file names and hashes.
- The malware attempts to download files from external URLs for further exploits.
- Persistence mechanisms were found in registry run keys on Windows systems.
- Low-level system programming strategies enhance the malware’s stealth and evasion tactics.
MITRE Techniques :
- Persistence (T1547.001): Synaptics.exe added to a Logon Autoruns entry via Registry.
- Command and Control (T1105): PrintNotifyPotato.exe downloads files from various command-and-control URLs.
- Defense Evasion (T1027): Hidden file creation to avoid detection.
- Privilege Escalation (T1134.001): Token manipulation techniques used for privilege escalation.
Indicator of Compromise :
- File Original Filename: PrintNotifyPotato.exe
- SHA-256 Hash: 437f3ab18f1886045732f150fddaa23db1e97687d4ecb826c7bd128586c19396
- Files Dropped SHA-256 Hash: 9cdb7144d2bc60e045e650cc978647055d63a438a906e5bbf52e5544bb98948b
- Domain: xred.mooo[.]com
- Domain: freedns.afraid[.]org
Full Story: https://osintteam.blog/nooope-darkcomet-backdoor-malware-analysis-1f97f04b42ed?source=rss——malware-5