General

  • Target

    6604dbe40fed400f152820801921bfc6_JaffaCakes118

  • Size

    492KB

  • Sample

    240723-edsy1swgjj

  • MD5

    6604dbe40fed400f152820801921bfc6

  • SHA1

    ca53d76aa76a407e1995df206f932de6e48c79ff

  • SHA256

    5bc0d04eea6125d158e08c46af6f22ed81644b056ef80a85e65121b6c7cd9d85

  • SHA512

    3f985396709098359fa4cef8328c04d4eaec1be8f954fb9bc7029bb29a451562ace1fd9ea63b1a3e63ed807ca117ca914bb86a6a0da7daf300808b366f2c1e61

  • SSDEEP

    12288:Ukco22Xawbj0udQbAgwOjwDMtI6pQOak7eN+jU:UT2Xv9rgjwDwpKk71

Malware Config

Targets

    • Target

      6604dbe40fed400f152820801921bfc6_JaffaCakes118

    • Size

      492KB

    • MD5

      6604dbe40fed400f152820801921bfc6

    • SHA1

      ca53d76aa76a407e1995df206f932de6e48c79ff

    • SHA256

      5bc0d04eea6125d158e08c46af6f22ed81644b056ef80a85e65121b6c7cd9d85

    • SHA512

      3f985396709098359fa4cef8328c04d4eaec1be8f954fb9bc7029bb29a451562ace1fd9ea63b1a3e63ed807ca117ca914bb86a6a0da7daf300808b366f2c1e61

    • SSDEEP

      12288:Ukco22Xawbj0udQbAgwOjwDMtI6pQOak7eN+jU:UT2Xv9rgjwDwpKk71

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks