General

  • Target

    11ce33be8962adf74d6f0d2506643706_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240626-nb2mtasbme

  • MD5

    11ce33be8962adf74d6f0d2506643706

  • SHA1

    39065393c2de7c76c225537a9a4ea000fe92da67

  • SHA256

    b5f2c8133957ed1c2897f6785e45ec5a8e40761ed44e1f7ede2eec15275804ff

  • SHA512

    39e02801fc20883d6053bd6f213e81ed6c6ebe4d450e9525fb12ddc7705b76d487b5fc89c8ca96f39d5eadcb020c2f314fe530a2cf5fa42964826682b8bdd8ea

  • SSDEEP

    24576:3cv7BZ5XFwpPboxjiIvu+63f8VRQudkgb/kVAJ3zxZvv:MzBZ51oQXtVRtdkgb/gAJ

Malware Config

Targets

    • Target

      11ce33be8962adf74d6f0d2506643706_JaffaCakes118

    • Size

      1.2MB

    • MD5

      11ce33be8962adf74d6f0d2506643706

    • SHA1

      39065393c2de7c76c225537a9a4ea000fe92da67

    • SHA256

      b5f2c8133957ed1c2897f6785e45ec5a8e40761ed44e1f7ede2eec15275804ff

    • SHA512

      39e02801fc20883d6053bd6f213e81ed6c6ebe4d450e9525fb12ddc7705b76d487b5fc89c8ca96f39d5eadcb020c2f314fe530a2cf5fa42964826682b8bdd8ea

    • SSDEEP

      24576:3cv7BZ5XFwpPboxjiIvu+63f8VRQudkgb/kVAJ3zxZvv:MzBZ51oQXtVRtdkgb/gAJ

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Disables RegEdit via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks