General

  • Target

    ef5a47cb377760f4f1161fcaf1f6cd6f_JaffaCakes118

  • Size

    796KB

  • Sample

    240414-ydnh3sef2v

  • MD5

    ef5a47cb377760f4f1161fcaf1f6cd6f

  • SHA1

    4676cc9edb7f8a17f3929afc35df66cfd7ec5856

  • SHA256

    7cc814edd8c3dde2c4544e3834900723c97c8b5c78e9ef02c8836c5b63a8b2cc

  • SHA512

    84dadf4d80b41d3c1e2af276af3ec13762c4073c7ed2a41e4b7240c2334e064d3b715b61e06a13dc76ed738f13d775769783ad22061050bc26d08c5acf646daf

  • SSDEEP

    12288:3VmPcyDQDmkLhCBzpRrTZM6YaNPrLAtLUnhXhVWZbPWB/Su1sclKn:i0hExpRfZM6YurE+X+ZpwsclKn

Malware Config

Targets

    • Target

      ef5a47cb377760f4f1161fcaf1f6cd6f_JaffaCakes118

    • Size

      796KB

    • MD5

      ef5a47cb377760f4f1161fcaf1f6cd6f

    • SHA1

      4676cc9edb7f8a17f3929afc35df66cfd7ec5856

    • SHA256

      7cc814edd8c3dde2c4544e3834900723c97c8b5c78e9ef02c8836c5b63a8b2cc

    • SHA512

      84dadf4d80b41d3c1e2af276af3ec13762c4073c7ed2a41e4b7240c2334e064d3b715b61e06a13dc76ed738f13d775769783ad22061050bc26d08c5acf646daf

    • SSDEEP

      12288:3VmPcyDQDmkLhCBzpRrTZM6YaNPrLAtLUnhXhVWZbPWB/Su1sclKn:i0hExpRfZM6YurE+X+ZpwsclKn

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks