General
-
Target
79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118
-
Size
880KB
-
Sample
241028-q8bh1a1bna
-
MD5
79f26faebf6f232fd71c2d81c400a91e
-
SHA1
2a0b954324ff364271acb04589f1cceeb3b8a713
-
SHA256
39dd349bae7daea858678837db336d958aab66ca4f47c852ca16a45b273cb18b
-
SHA512
1ec197da98d1f5f75be1a3fe8a91fb30db78bee52a72d8c23c7d1b3626cceab46fc85a5f236dbfc9cba65207250b6102dbbb3770c88dd36aee9e52487c1d46c2
-
SSDEEP
12288:wqFvD1WrkIwrOqepNt0RoirD7/xNmcBH0dqhTtlN9p41zlq4uhT:wAB7IEOqBRbrDz2eU8IPuhT
Malware Config
Targets
-
-
Target
79f26faebf6f232fd71c2d81c400a91e_JaffaCakes118
-
Size
880KB
-
MD5
79f26faebf6f232fd71c2d81c400a91e
-
SHA1
2a0b954324ff364271acb04589f1cceeb3b8a713
-
SHA256
39dd349bae7daea858678837db336d958aab66ca4f47c852ca16a45b273cb18b
-
SHA512
1ec197da98d1f5f75be1a3fe8a91fb30db78bee52a72d8c23c7d1b3626cceab46fc85a5f236dbfc9cba65207250b6102dbbb3770c88dd36aee9e52487c1d46c2
-
SSDEEP
12288:wqFvD1WrkIwrOqepNt0RoirD7/xNmcBH0dqhTtlN9p41zlq4uhT:wAB7IEOqBRbrDz2eU8IPuhT
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1