General

  • Target

    920a6ee052bcfaf17abf6977431a6bd8_JaffaCakes118

  • Size

    805KB

  • Sample

    241124-cxffxsyrhy

  • MD5

    920a6ee052bcfaf17abf6977431a6bd8

  • SHA1

    77541716906dc4be85ac39ea2dfced1a9ef57861

  • SHA256

    b088833e8dddce0b2f6d61ddefcfdc7e19941a46a8726df5efa90809cdc8f68d

  • SHA512

    871b134ed9d639409fc62e7f9a18ae25e673b528bf88b2e45b3931584b00c0b05f444ccb8467c6c34093b058b72833b0d1739d7bb1b6573ce25fb75c275a8f2d

  • SSDEEP

    12288:UIRDYapjqxhDjaAchpWsuVtDnBsBDJIcynnC90levX4CuYf2D82T3s99+VHuNKO2:U0qrmAEE3uBDhynCylQgi63O9+VuNI

Malware Config

Targets

    • Target

      920a6ee052bcfaf17abf6977431a6bd8_JaffaCakes118

    • Size

      805KB

    • MD5

      920a6ee052bcfaf17abf6977431a6bd8

    • SHA1

      77541716906dc4be85ac39ea2dfced1a9ef57861

    • SHA256

      b088833e8dddce0b2f6d61ddefcfdc7e19941a46a8726df5efa90809cdc8f68d

    • SHA512

      871b134ed9d639409fc62e7f9a18ae25e673b528bf88b2e45b3931584b00c0b05f444ccb8467c6c34093b058b72833b0d1739d7bb1b6573ce25fb75c275a8f2d

    • SSDEEP

      12288:UIRDYapjqxhDjaAchpWsuVtDnBsBDJIcynnC90levX4CuYf2D82T3s99+VHuNKO2:U0qrmAEE3uBDhynCylQgi63O9+VuNI

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks