General
-
Target
6018c72c19e69bf8a1594ebae3bbb291_JaffaCakes118
-
Size
1.7MB
-
Sample
241020-dtkf5sxhkq
-
MD5
6018c72c19e69bf8a1594ebae3bbb291
-
SHA1
13b3a15ce9da31cc09563dd17fd912ef1b9f52a4
-
SHA256
9f5cfb760359c3757d97b9115563fc05179b96f360a982f7a6232bf7135054b7
-
SHA512
21c81d83c6983a2ce8ce8ae6d532597cf4eae418f357f75e6214c42687a617dd86b2e50d90e9f34bbe88adcb35d31e204a4a26f025c98f819cee8881494da967
-
SSDEEP
12288:9fvXLnXB7VYZUoIYbb4Y8sQs1fQnemNnKFlCPRHMMCDJBp5CfmcGD1r2OxctacJp:1lkMsDWmcGDNEyABo3ad867ILOo3
Malware Config
Targets
-
-
Target
6018c72c19e69bf8a1594ebae3bbb291_JaffaCakes118
-
Size
1.7MB
-
MD5
6018c72c19e69bf8a1594ebae3bbb291
-
SHA1
13b3a15ce9da31cc09563dd17fd912ef1b9f52a4
-
SHA256
9f5cfb760359c3757d97b9115563fc05179b96f360a982f7a6232bf7135054b7
-
SHA512
21c81d83c6983a2ce8ce8ae6d532597cf4eae418f357f75e6214c42687a617dd86b2e50d90e9f34bbe88adcb35d31e204a4a26f025c98f819cee8881494da967
-
SSDEEP
12288:9fvXLnXB7VYZUoIYbb4Y8sQs1fQnemNnKFlCPRHMMCDJBp5CfmcGD1r2OxctacJp:1lkMsDWmcGDNEyABo3ad867ILOo3
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1