General
-
Target
1d03e678086d7ed3f940daaabda794e4_JaffaCakes118
-
Size
1.3MB
-
Sample
241007-mverqa1dkk
-
MD5
1d03e678086d7ed3f940daaabda794e4
-
SHA1
52aca9e402932a86e5124f6d07361808c4e4eaca
-
SHA256
6c17343bf1142d45fb727584a91ca85ed43a7fe16e92b516d5b4681fd340572c
-
SHA512
e92db4946fd1a7e55d331028ebb1e4ce1cdd904926f23af9be8e6cd900e640fc5a2f8fb32063df933d203c91ed060780cceed2a616dfe8e1d5aabac818bf79f7
-
SSDEEP
24576:iLXc/j4flqB703wk/mWBM+aYQStyfg2j5PmnchLeNXOdikcPCkBO0essSpm4GkXr:YX8jlBe6+aBSva8a/dtST
Malware Config
Targets
-
-
Target
1d03e678086d7ed3f940daaabda794e4_JaffaCakes118
-
Size
1.3MB
-
MD5
1d03e678086d7ed3f940daaabda794e4
-
SHA1
52aca9e402932a86e5124f6d07361808c4e4eaca
-
SHA256
6c17343bf1142d45fb727584a91ca85ed43a7fe16e92b516d5b4681fd340572c
-
SHA512
e92db4946fd1a7e55d331028ebb1e4ce1cdd904926f23af9be8e6cd900e640fc5a2f8fb32063df933d203c91ed060780cceed2a616dfe8e1d5aabac818bf79f7
-
SSDEEP
24576:iLXc/j4flqB703wk/mWBM+aYQStyfg2j5PmnchLeNXOdikcPCkBO0essSpm4GkXr:YX8jlBe6+aBSva8a/dtST
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1