DarkComet RAT Analysis with ECAT: Part 2

Analyzing a DarkComet infection with ECAT

In this 2nd part of our 3-part video series, we show how ECAT provides a detailed analysis of an endpointed infected by the DarkComet RAT. In the first post we showed how to create your own malware with DarkComet and take full control of a target machine without triggering AV detection.

In this latest video, we show how ECAT flags the machine as compromised by detecting mismatches between live memory and the corresponding files on disk, analyzing network traffic, finding suspicious Windows hooks and floating code, and more. Each analyzed component is assigned a suspect level, and cumulatively we can see that the overall Machine Suspect Level (MSL) goes from 0 (clean) prior to the infection to 97 (bad!) subsequently. A console operator running ECAT with the agent deployed on the desktops would get alerted immediately after ECAT completed a scan of a machine compromised in this manner. Stay tuned for Part 3 in our series where we’ll show how to use ECAT for remote forensic data gathering and remediation.