General

  • Target

    131da82ef6d07117f53b510d30868284_JaffaCakes118

  • Size

    787KB

  • Sample

    240626-xx52ss1gqj

  • MD5

    131da82ef6d07117f53b510d30868284

  • SHA1

    369931664189b626bd77b3af71b2c808effb8b0a

  • SHA256

    99156da53e622418cbd84c7de2dd8dc49d9068bc8cb227b1ba7f6d47667d1e09

  • SHA512

    d959b283a2f077e50a66d019e13a600c3ed6b5f927fbd84d8db8542109c1aa0f22957ae4d3be934cac6448b0a14dee6129a64937e049a732ec8afd7634562999

  • SSDEEP

    12288:1ERH1F+Wig3LxzA2AijRTTpXsLioEwN7vblTs13Q0oK2KmO5VMzXuD43lpUD7y:uRH6WZdVAqfsLiGN7bGdadOmmqlO/y

Malware Config

Targets

    • Target

      131da82ef6d07117f53b510d30868284_JaffaCakes118

    • Size

      787KB

    • MD5

      131da82ef6d07117f53b510d30868284

    • SHA1

      369931664189b626bd77b3af71b2c808effb8b0a

    • SHA256

      99156da53e622418cbd84c7de2dd8dc49d9068bc8cb227b1ba7f6d47667d1e09

    • SHA512

      d959b283a2f077e50a66d019e13a600c3ed6b5f927fbd84d8db8542109c1aa0f22957ae4d3be934cac6448b0a14dee6129a64937e049a732ec8afd7634562999

    • SSDEEP

      12288:1ERH1F+Wig3LxzA2AijRTTpXsLioEwN7vblTs13Q0oK2KmO5VMzXuD43lpUD7y:uRH6WZdVAqfsLiGN7bGdadOmmqlO/y

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies security service

    • Windows security bypass

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks