General

  • Target

    d116404d2acdba34a47f95053618a865_JaffaCakes118

  • Size

    437KB

  • Sample

    241207-haztyazray

  • MD5

    d116404d2acdba34a47f95053618a865

  • SHA1

    934aa5036f407ccf0db3d54683953042cee7e959

  • SHA256

    3a66d58200aa6a6f29a06e64ba7283e3614cdfa496cfd3ad73e146a75af6ee06

  • SHA512

    c83155a9ceb5f327e14812bc575ab6729ebee8256aeb01e9b5ad5114391f06e10db2ff826dc0478de7f394272ec62764c7aa1fbbec2964589de8dfc144b7119c

  • SSDEEP

    12288:+O/HJ+p+6RsIuQ/pyWPc+oBUbKVzYKj86sa3R:J/p+PvPaBUbKpYObR

Malware Config

Targets

    • Target

      d116404d2acdba34a47f95053618a865_JaffaCakes118

    • Size

      437KB

    • MD5

      d116404d2acdba34a47f95053618a865

    • SHA1

      934aa5036f407ccf0db3d54683953042cee7e959

    • SHA256

      3a66d58200aa6a6f29a06e64ba7283e3614cdfa496cfd3ad73e146a75af6ee06

    • SHA512

      c83155a9ceb5f327e14812bc575ab6729ebee8256aeb01e9b5ad5114391f06e10db2ff826dc0478de7f394272ec62764c7aa1fbbec2964589de8dfc144b7119c

    • SSDEEP

      12288:+O/HJ+p+6RsIuQ/pyWPc+oBUbKVzYKj86sa3R:J/p+PvPaBUbKpYObR

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks