General

  • Target

    178db5992b083838ffb393f855bb3038_JaffaCakes118

  • Size

    659KB

  • Sample

    240627-z3tl3atdnn

  • MD5

    178db5992b083838ffb393f855bb3038

  • SHA1

    113e849141da66115b181809169c4c590b5dcabb

  • SHA256

    2b16710a962c2676143e1f663626bbd2b8daab3f70718414ce6d2cd534379b7b

  • SHA512

    08e3e09cac0c6e9966f30119f6f94f95b4bd5f55d7e06e91b860e73e57e34648aa089af8168dce3eb1895e23604bf00adcad015a0fdf32994f7958e49afa1f5a

  • SSDEEP

    12288:19AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnKZ:zAQ6Zx9cxTmOrucTIEFSpOGU

Malware Config

Targets

    • Target

      178db5992b083838ffb393f855bb3038_JaffaCakes118

    • Size

      659KB

    • MD5

      178db5992b083838ffb393f855bb3038

    • SHA1

      113e849141da66115b181809169c4c590b5dcabb

    • SHA256

      2b16710a962c2676143e1f663626bbd2b8daab3f70718414ce6d2cd534379b7b

    • SHA512

      08e3e09cac0c6e9966f30119f6f94f95b4bd5f55d7e06e91b860e73e57e34648aa089af8168dce3eb1895e23604bf00adcad015a0fdf32994f7958e49afa1f5a

    • SSDEEP

      12288:19AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnKZ:zAQ6Zx9cxTmOrucTIEFSpOGU

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks