General

  • Target

    144769859640eab70ec9ed969401e8e3_JaffaCakes118

  • Size

    3.1MB

  • Sample

    240627-cegw2azcnj

  • MD5

    144769859640eab70ec9ed969401e8e3

  • SHA1

    cb6603e8867a74d2d27059cdc47438cf2340920a

  • SHA256

    7a9776c90605606de12e06a0088cbf44c12e8be266c13c5894304eda81035711

  • SHA512

    9a9d4b67a04ef8a1cbea7bc2574dbc42db6e1460650b951a322d62e6e92c64b3ee6924ce0bec5664a4c4668224f62a5ca1d3ed81430a77d31e40fb56c7fdbbef

  • SSDEEP

    24576:9lW4wul8bp7gzsRMgZsdfbk/OwSsvKf1ympTTdD+dFCx2gdtsdsqo:9lW4wulcgGMos6ONsydympTZD+3CXw

Malware Config

Targets

    • Target

      144769859640eab70ec9ed969401e8e3_JaffaCakes118

    • Size

      3.1MB

    • MD5

      144769859640eab70ec9ed969401e8e3

    • SHA1

      cb6603e8867a74d2d27059cdc47438cf2340920a

    • SHA256

      7a9776c90605606de12e06a0088cbf44c12e8be266c13c5894304eda81035711

    • SHA512

      9a9d4b67a04ef8a1cbea7bc2574dbc42db6e1460650b951a322d62e6e92c64b3ee6924ce0bec5664a4c4668224f62a5ca1d3ed81430a77d31e40fb56c7fdbbef

    • SSDEEP

      24576:9lW4wul8bp7gzsRMgZsdfbk/OwSsvKf1ympTTdD+dFCx2gdtsdsqo:9lW4wulcgGMos6ONsydympTZD+3CXw

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks