General
-
Target
d112132d27f9b6e84cb9784200b64303_JaffaCakes118
-
Size
788KB
-
Sample
240907-e2erasvcln
-
MD5
d112132d27f9b6e84cb9784200b64303
-
SHA1
1ed600d73eb2d91a26a6fad885e78019a1e59f57
-
SHA256
ffba5c94c4f84db082950b8ac931a6259dd8b201b8d65b032bf416c40be5b6e2
-
SHA512
f255ebce177fa7125fb33acd26c7e0f9b9b941c7aa4d41ea0a40c624f72c082caa2db91b98af9b554401f69ec28b55e6e6329bdb9a2a0e2c6643f7b5a6ee9397
-
SSDEEP
12288:azUA4iOjq4LISO9yU1R74xUdY9zkWd2xexgUWUGlso6bDn4m0q:SUA1x19BR839zMxSBWUGlszn4m0
Malware Config
Targets
-
-
Target
d112132d27f9b6e84cb9784200b64303_JaffaCakes118
-
Size
788KB
-
MD5
d112132d27f9b6e84cb9784200b64303
-
SHA1
1ed600d73eb2d91a26a6fad885e78019a1e59f57
-
SHA256
ffba5c94c4f84db082950b8ac931a6259dd8b201b8d65b032bf416c40be5b6e2
-
SHA512
f255ebce177fa7125fb33acd26c7e0f9b9b941c7aa4d41ea0a40c624f72c082caa2db91b98af9b554401f69ec28b55e6e6329bdb9a2a0e2c6643f7b5a6ee9397
-
SSDEEP
12288:azUA4iOjq4LISO9yU1R74xUdY9zkWd2xexgUWUGlso6bDn4m0q:SUA1x19BR839zMxSBWUGlszn4m0
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1