General

  • Target

    5937302c5d9b998e0d80f9476a8aa7b1_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240718-1q1ehs1emc

  • MD5

    5937302c5d9b998e0d80f9476a8aa7b1

  • SHA1

    5945ebfae25dd58abd8ed34d21a82ede4a14c866

  • SHA256

    a99e8aabcbe33fc2fda93ab6808c8f16c05a54bbedaf848182e27f4f65099bf8

  • SHA512

    c042ac639a607d4eb52d0788f845defca9d5e9ce1df6672c7ef688ed0bee7d38b31948262c25181920e1ceaa91d1aa23b645ef7e6769b55e7b62d5b0cbc558d2

  • SSDEEP

    24576:bPlDx29PP2l+zmtzRhOXYW64IhUVbhXl1GwmxWtE8yUpmdV/8YoCj3+A18:b9D49nmhGKhSV2HAE8yUQXEYf3b18

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.drivehq.com
  • Port:
    21
  • Username:
    umer93

Targets

    • Target

      5937302c5d9b998e0d80f9476a8aa7b1_JaffaCakes118

    • Size

      1.1MB

    • MD5

      5937302c5d9b998e0d80f9476a8aa7b1

    • SHA1

      5945ebfae25dd58abd8ed34d21a82ede4a14c866

    • SHA256

      a99e8aabcbe33fc2fda93ab6808c8f16c05a54bbedaf848182e27f4f65099bf8

    • SHA512

      c042ac639a607d4eb52d0788f845defca9d5e9ce1df6672c7ef688ed0bee7d38b31948262c25181920e1ceaa91d1aa23b645ef7e6769b55e7b62d5b0cbc558d2

    • SSDEEP

      24576:bPlDx29PP2l+zmtzRhOXYW64IhUVbhXl1GwmxWtE8yUpmdV/8YoCj3+A18:b9D49nmhGKhSV2HAE8yUQXEYf3b18

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax main executable

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks