General

  • Target

    13e2313c0090887c6e5ca605a4daea44_JaffaCakes118

  • Size

    652KB

  • Sample

    240626-3gvtsazfpc

  • MD5

    13e2313c0090887c6e5ca605a4daea44

  • SHA1

    4504137765992c716ba98ff5ad6e9baf4cf256ae

  • SHA256

    936ac6210bbdf887ceb17246e841c8c7e88322ef3359f65c548ec972cf51d92b

  • SHA512

    a36d88d83a39566e8c027dec55589373519ae94d264e65c5dc12b4a59593f89a95235788281b7a7f0e1f821f6676132e560a506ca0ad1ef10e80b1099dfa5392

  • SSDEEP

    12288:udNWQqqZMdLQYzgyWZ3u+gVj+9c9+DtCGTtd5Z+OopDnHPYLt1mRnWEu:ublq8MdLQzyWZRc9gwcopTPYLTDF

Malware Config

Targets

    • Target

      13e2313c0090887c6e5ca605a4daea44_JaffaCakes118

    • Size

      652KB

    • MD5

      13e2313c0090887c6e5ca605a4daea44

    • SHA1

      4504137765992c716ba98ff5ad6e9baf4cf256ae

    • SHA256

      936ac6210bbdf887ceb17246e841c8c7e88322ef3359f65c548ec972cf51d92b

    • SHA512

      a36d88d83a39566e8c027dec55589373519ae94d264e65c5dc12b4a59593f89a95235788281b7a7f0e1f821f6676132e560a506ca0ad1ef10e80b1099dfa5392

    • SSDEEP

      12288:udNWQqqZMdLQYzgyWZ3u+gVj+9c9+DtCGTtd5Z+OopDnHPYLt1mRnWEu:ublq8MdLQzyWZRc9gwcopTPYLTDF

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks