General
-
Target
7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118
-
Size
3.2MB
-
Sample
241029-nle7kavekh
-
MD5
7c15fb3e213e1071e2f4fe2656ff8c72
-
SHA1
3f1a13661076f7ef318dc6e23a9299481a1176e5
-
SHA256
ba195a7c0affd458a7ecd4cdb1d04638a4d3f6c36b45e994bc055df1b59351df
-
SHA512
17f9d42e18d1d559d2852734eadfc70e1882e9a9c49913f3a01a01048c173d8a48c2aa9126675a035b6ea5bcbd78ebf613bc3636a7972d8417dbe5a0760bb3fb
-
SSDEEP
49152:m32jqCCU1B51m84CU+sen2MGm2Dr5vdezjjygGTcE:
Malware Config
Targets
-
-
Target
7c15fb3e213e1071e2f4fe2656ff8c72_JaffaCakes118
-
Size
3.2MB
-
MD5
7c15fb3e213e1071e2f4fe2656ff8c72
-
SHA1
3f1a13661076f7ef318dc6e23a9299481a1176e5
-
SHA256
ba195a7c0affd458a7ecd4cdb1d04638a4d3f6c36b45e994bc055df1b59351df
-
SHA512
17f9d42e18d1d559d2852734eadfc70e1882e9a9c49913f3a01a01048c173d8a48c2aa9126675a035b6ea5bcbd78ebf613bc3636a7972d8417dbe5a0760bb3fb
-
SSDEEP
49152:m32jqCCU1B51m84CU+sen2MGm2Dr5vdezjjygGTcE:
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Windows security bypass
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Windows security modification
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
9Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4