Quick Overview:
     Dark Comet is a RAT (Remote Access Trojan) created around 2008. While not taking off until around 2012, it gained popularity pretty quick. In 2012, this tool was deployed during the Syrian conflict for spying purposes.[1] The creator was quick to denounce the way his tool was used, eventually pulling the project entirely. Dark Comet’s creator did leave a final message on his website confirming the closure and gives precaution to people still looking for the RAT.

Starting Off:
     There are 3 areas that we want to cover while looking at this piece of malware. I am going to look at what network traffic it generates, what processes it opens, and an overview of its static information.

Network Analysis:
     For my lab environment, I have my testing machine run its traffic through an Ubuntu VM acting as the router. With this setup, I will be able to capture all requests coming from the application as well as responses from the C2.
     With everything in place, I went ahead and executed the malware. Moving to my Ubuntu VM, I can see WireShark lighting up with requests. Initially, the only request I was getting from the application was a DNS request for a DDNS. Looking at the response, it was clear that this domain was no longer active. Other information from the response allowed us to uncover who hosted the original DDNS

Dark Comet trying to reach ‘deep12.ddns.net’ through no-ip.com

Checking out no-ip.com, we can see that they provide dynamic DNS names free for anyone. Curious to see what will happen if the malware was able to receive a response from an IP, I went ahead and registered for the name ‘deep12.ddns.net’.
     Right after the DDNS was registered, I noticed a change in requests and responses in WireShark. The application finally received a response from the DDNS and started up SYN-ACK traffic with my IP address.

SYN-ACK traffic with my IP and Dark Comet

Behavior analysis:
     Moving to how this RAT behaves, its time to open up Process Hacker and ProcMon.
     Starting with Process Hacker, we can go ahead and execute the Dark Comet binary. Process wise, it is pretty straight forward on what this malware wants to accomplish in its first execution. At the start, we have one main process, “backdoor.win32.darkkomet”. This would be the main process from the binary that you initially clicked. Once opened, it does some system checks and then executes “vbc.exe”, which is Visual Basic Compiler. Lastly, the original main process will create an identical process under a different name, “xp.e.exe” and then close itself.  To make visualization easier, I went ahead and created this flow chart.

Behavior of the Dark Comet RAT

Now that we have an idea of what processes are created and terminated, let’s open up ProcMon to see if there is anything else going on that we do not see.
     Executing the original binary, ProcMon lights up with processes, many of which are registry queries and loading up of DLLs. There are a few processes that stick out to me though. The first being the creation of a directory named ‘wind’ in the root of the C drive. Looking into why we see this, we uncover that this is where ‘xp.exe’ is placed and executed before the original process is terminated.

‘C:\wind’ being created and ‘xp.exe’ being dropped

Continuing down ProcMon, there is nothing else that catches my eye. The only thing that raises my curiosity would be whether the original binary and ‘xp.e.exe’ are identical, or whether they differ in any way.

Static Analysis:
     To analyze the static portion of this binary, we are going to use a tool called ‘PE-Bear‘. Here we can go ahead and pop both ‘backdoor.win32.darkkomet.exe’ and ‘xp.e.exe’ in and check out their MD5 to see if they are identical or if they differ.

MD5 and SHA1 of ‘Backdoor.Win32.DarkKomet.exe’
MD5 and SHA1 of ‘xp.e.exe’

Looking at the MD5 and SHA1 of both files, we can infer that these are the same files, containing the same information in both, just under different names and locations.

Summary:
     Dark Comet holds a special place in my heart as it was one of the first pieces of malware I interacted with when I first expanded my interest in IT. From being 12 years old and trying to maneuver my way around the original tool, creating stubs and infecting myself, to being able to look at what this tool does in behavior and network traffic is amazing. While this is just a bare-bones stub with no extra features enabled, like original stub deletion or stub binding, it still is an interesting piece of malware to take a look at.  I would love to shout out the VX-Underground for hosting their wide selection of malware and allowing me to have access to said files.

Hashes:
MD5: a3cd89b386bb1890b778ef22fb7392a
SHA1: 265719f850de6a2a8e97fdfdff323a7bbcc13a9d

 References:
    
1. McMillan, Robert. “How the Boy Next Door Accidentally Built a Syrian Spy Tool“. Wired.