General

  • Target

    6155bbc412cd3f83b1a96d1ae1e4387f_JaffaCakes118

  • Size

    469KB

  • Sample

    240721-zkkw7swekk

  • MD5

    6155bbc412cd3f83b1a96d1ae1e4387f

  • SHA1

    d2221522fb8e27491afdbb888cbe0f181e19b416

  • SHA256

    96380bd1c838c1cd545165ef08857400be8c6a4a18ae29d85b041a7687b773a5

  • SHA512

    fddc6da92f6111109cfc1639ddf5e5176312f32876bc4f92312d26f6528cb3ec145dd558b8f3c2491ab1bcd513817f96eb36867b536909dcb56d850b2188dadb

  • SSDEEP

    12288:cosczeiARKUOHRbRPp/BzVzZozCOS9u0Zo5MnfIc:co/JU+RbRh//zZgC390c

Malware Config

Targets

    • Target

      6155bbc412cd3f83b1a96d1ae1e4387f_JaffaCakes118

    • Size

      469KB

    • MD5

      6155bbc412cd3f83b1a96d1ae1e4387f

    • SHA1

      d2221522fb8e27491afdbb888cbe0f181e19b416

    • SHA256

      96380bd1c838c1cd545165ef08857400be8c6a4a18ae29d85b041a7687b773a5

    • SHA512

      fddc6da92f6111109cfc1639ddf5e5176312f32876bc4f92312d26f6528cb3ec145dd558b8f3c2491ab1bcd513817f96eb36867b536909dcb56d850b2188dadb

    • SSDEEP

      12288:cosczeiARKUOHRbRPp/BzVzZozCOS9u0Zo5MnfIc:co/JU+RbRh//zZgC390c

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Windows security bypass

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks