General

  • Target

    b561f1dd7998e4ea299420d0bb96fcec_JaffaCakes118

  • Size

    636KB

  • Sample

    241201-116dhstqbx

  • MD5

    b561f1dd7998e4ea299420d0bb96fcec

  • SHA1

    9d53711b62658e67f28855060d8348cf1e11e5bc

  • SHA256

    fd3e283c521b16fb084a54e33e3aece4f79786fd5421563461a08bb436845f1c

  • SHA512

    8e030c0f12850d08a4e37f49299ae0872ab0e5fa9e29ca335ed41257df093b49bc0bc19f3163b34d9f91e7a532494b01b10cee85c19ec04a4e886c3307920350

  • SSDEEP

    12288:/pwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/J:xwAcu99lPzvxP+Bsz2XjWTRMQckkIXnh

Malware Config

Targets

    • Target

      b561f1dd7998e4ea299420d0bb96fcec_JaffaCakes118

    • Size

      636KB

    • MD5

      b561f1dd7998e4ea299420d0bb96fcec

    • SHA1

      9d53711b62658e67f28855060d8348cf1e11e5bc

    • SHA256

      fd3e283c521b16fb084a54e33e3aece4f79786fd5421563461a08bb436845f1c

    • SHA512

      8e030c0f12850d08a4e37f49299ae0872ab0e5fa9e29ca335ed41257df093b49bc0bc19f3163b34d9f91e7a532494b01b10cee85c19ec04a4e886c3307920350

    • SSDEEP

      12288:/pwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/J:xwAcu99lPzvxP+Bsz2XjWTRMQckkIXnh

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks