General

  • Target

    65d342a58f47a10eff501b81e216893a_JaffaCakes118

  • Size

    486KB

  • Sample

    240723-c6qcgstcpj

  • MD5

    65d342a58f47a10eff501b81e216893a

  • SHA1

    1fa146a9da6d80dabded0c9e77b08fdc76b3c25b

  • SHA256

    25b56915e1ee6fe077a522aca7a3f0608a1401a305b79f3893a5b1d77771a9fd

  • SHA512

    fe44597a3fd6a21af9d221836825f4a658b21d2a1e02d1bdcdbbde6119f23aef5cb49a957fe0dd91bb752239aaf417f9a5fcad10484bdaed5b66dcb989e49e37

  • SSDEEP

    12288:6YsLqME2MAar1c/mh4bgKLsMzff59vhxhJoG3:6YIqME25MqOh4nwM7hJThl

Malware Config

Targets

    • Target

      65d342a58f47a10eff501b81e216893a_JaffaCakes118

    • Size

      486KB

    • MD5

      65d342a58f47a10eff501b81e216893a

    • SHA1

      1fa146a9da6d80dabded0c9e77b08fdc76b3c25b

    • SHA256

      25b56915e1ee6fe077a522aca7a3f0608a1401a305b79f3893a5b1d77771a9fd

    • SHA512

      fe44597a3fd6a21af9d221836825f4a658b21d2a1e02d1bdcdbbde6119f23aef5cb49a957fe0dd91bb752239aaf417f9a5fcad10484bdaed5b66dcb989e49e37

    • SSDEEP

      12288:6YsLqME2MAar1c/mh4bgKLsMzff59vhxhJoG3:6YIqME25MqOh4nwM7hJThl

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Windows security bypass

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks