General

  • Target

    0fc648733d5a38a1de14bd0090f56c58_JaffaCakes118

  • Size

    972KB

  • Sample

    240625-2gyp1azfjq

  • MD5

    0fc648733d5a38a1de14bd0090f56c58

  • SHA1

    cfc0981e181739adc583492d7e09f97a8a95f3d9

  • SHA256

    acea6dba17f0a4340832f0c8c017950bd87266cf56283d077b101215a07be1f9

  • SHA512

    0a90e0dfb04df63c04d4a828ff56dce58e5aa3af55db5734d5c42b812afd1d9214df86a7273ea6d4df1266199b14a2b94e122d9537d050aa34804a73d6ba360e

  • SSDEEP

    24576:bh6HHHHHHHHHHHHHHHHHp38ccsQEn97CFp3hBtUI1zT0U2W:bKLPqEo

Malware Config

Targets

    • Target

      0fc648733d5a38a1de14bd0090f56c58_JaffaCakes118

    • Size

      972KB

    • MD5

      0fc648733d5a38a1de14bd0090f56c58

    • SHA1

      cfc0981e181739adc583492d7e09f97a8a95f3d9

    • SHA256

      acea6dba17f0a4340832f0c8c017950bd87266cf56283d077b101215a07be1f9

    • SHA512

      0a90e0dfb04df63c04d4a828ff56dce58e5aa3af55db5734d5c42b812afd1d9214df86a7273ea6d4df1266199b14a2b94e122d9537d050aa34804a73d6ba360e

    • SSDEEP

      24576:bh6HHHHHHHHHHHHHHHHHp38ccsQEn97CFp3hBtUI1zT0U2W:bKLPqEo

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks