General

  • Target

    61d867ed9de26551837f905ad54a9f82_JaffaCakes118

  • Size

    758KB

  • Sample

    240721-3dmzrsselm

  • MD5

    61d867ed9de26551837f905ad54a9f82

  • SHA1

    258061888b632a6c1a78600f64b6b94091b71274

  • SHA256

    db07bec4e41ff57f42b5b690416a8c3eacc4d75570eb75fd3c7f32a800d18ee5

  • SHA512

    6a9d757afec77c76610b6b6be4f5012ba53f0ff91f911a2602924710f6873ab302558626ad5ba7eb8921e1f5c46d322bd904924d4318d0684a5fd6bcbd0a01bc

  • SSDEEP

    12288:m3GnbxJJobfq8zKx2p3c9n9X4Lj/Ajiam4KLPzdRnSR5Mmx:m21roDz26c9n9oHDa

Malware Config

Targets

    • Target

      61d867ed9de26551837f905ad54a9f82_JaffaCakes118

    • Size

      758KB

    • MD5

      61d867ed9de26551837f905ad54a9f82

    • SHA1

      258061888b632a6c1a78600f64b6b94091b71274

    • SHA256

      db07bec4e41ff57f42b5b690416a8c3eacc4d75570eb75fd3c7f32a800d18ee5

    • SHA512

      6a9d757afec77c76610b6b6be4f5012ba53f0ff91f911a2602924710f6873ab302558626ad5ba7eb8921e1f5c46d322bd904924d4318d0684a5fd6bcbd0a01bc

    • SSDEEP

      12288:m3GnbxJJobfq8zKx2p3c9n9X4Lj/Ajiam4KLPzdRnSR5Mmx:m21roDz26c9n9oHDa

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Windows security bypass

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks