General
-
Target
a997cfe56b79d176151b54567ae198b8_JaffaCakes118
-
Size
896KB
-
Sample
241127-zpa8kazmew
-
MD5
a997cfe56b79d176151b54567ae198b8
-
SHA1
4114beca52bed066f18576ae8be0562472466305
-
SHA256
e58ad88bc079533e2fec178678114f2ed00dc07daff5a90eb38d4d7f7450d26c
-
SHA512
d1924f296ed7aef11e4a96913a4ba8bb18afcb4b2d0760929e34017c3dc3b1f56bc73ab8c1cd9d9ce8e3ee92d6aa02cdbbf75eed1578b2b0a87455a45b1f1f06
-
SSDEEP
12288:s/WVJIejx6F8tDmskDAmiIYfPk2XqCNjh1+U90LAO2lKIFmd68tPdsrn9QVONBn4:xH8FgRkDAmiIYf1Xq+tscA1tPdsn98
Malware Config
Targets
-
-
Target
a997cfe56b79d176151b54567ae198b8_JaffaCakes118
-
Size
896KB
-
MD5
a997cfe56b79d176151b54567ae198b8
-
SHA1
4114beca52bed066f18576ae8be0562472466305
-
SHA256
e58ad88bc079533e2fec178678114f2ed00dc07daff5a90eb38d4d7f7450d26c
-
SHA512
d1924f296ed7aef11e4a96913a4ba8bb18afcb4b2d0760929e34017c3dc3b1f56bc73ab8c1cd9d9ce8e3ee92d6aa02cdbbf75eed1578b2b0a87455a45b1f1f06
-
SSDEEP
12288:s/WVJIejx6F8tDmskDAmiIYfPk2XqCNjh1+U90LAO2lKIFmd68tPdsrn9QVONBn4:xH8FgRkDAmiIYf1Xq+tscA1tPdsn98
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1