General
-
Target
f2ad0e284b8f76c0c1eb239017466836_JaffaCakes118
-
Size
743KB
-
Sample
240416-ewybfsbc2s
-
MD5
f2ad0e284b8f76c0c1eb239017466836
-
SHA1
f20522b3c5790420e108240c76998d05a32773e5
-
SHA256
cf7395ed7710817d358321e6fd7a0a18984ad52552e816807168990200b5a1ab
-
SHA512
6b8c8e1ce8d1897bbdbc6894b9cc81e699aa32b38a36d87b2d2514eb361e4ff4f1c23461c80e07434ff635221766c8909cbf04ac96007bff336e3e3da9f91d76
-
SSDEEP
12288:M7CkTL36WOSXGRg1lv9Ttr4kqFO+JzbuUUkg/TqWwnuOdEiMPHtECjGeJxS+IP1K:LkTL3WSpb9akqtZuUUk0TqWwnjJMPHSY
Malware Config
Targets
-
-
Target
f2ad0e284b8f76c0c1eb239017466836_JaffaCakes118
-
Size
743KB
-
MD5
f2ad0e284b8f76c0c1eb239017466836
-
SHA1
f20522b3c5790420e108240c76998d05a32773e5
-
SHA256
cf7395ed7710817d358321e6fd7a0a18984ad52552e816807168990200b5a1ab
-
SHA512
6b8c8e1ce8d1897bbdbc6894b9cc81e699aa32b38a36d87b2d2514eb361e4ff4f1c23461c80e07434ff635221766c8909cbf04ac96007bff336e3e3da9f91d76
-
SSDEEP
12288:M7CkTL36WOSXGRg1lv9Ttr4kqFO+JzbuUUkg/TqWwnuOdEiMPHtECjGeJxS+IP1K:LkTL3WSpb9akqtZuUUk0TqWwnjJMPHSY
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1