General

  • Target

    d385e227d4ea2c72930ea472d89619b2_JaffaCakes118

  • Size

    976KB

  • Sample

    241207-zf6m4ssncv

  • MD5

    d385e227d4ea2c72930ea472d89619b2

  • SHA1

    1abc99de85193f01da5c98827c166c57392f78a5

  • SHA256

    8e253716ab5ef33e07f2a2b922d2d820e84f2bdfa714e20601892baebddb2783

  • SHA512

    76b4fc960c44b79187cd49417b77964d0366693efb6e15eb00d4a1befe380886d8a3b979496fe0f180432d670f9cecf28fd4e7d16a87ef7810cf1ba4afca8d45

  • SSDEEP

    24576:7BgymA1F+WX8vXluMPVlj+ngLNwTmJM8Db5iivU:Z1p8ASUmS8ZY

Malware Config

Targets

    • Target

      d385e227d4ea2c72930ea472d89619b2_JaffaCakes118

    • Size

      976KB

    • MD5

      d385e227d4ea2c72930ea472d89619b2

    • SHA1

      1abc99de85193f01da5c98827c166c57392f78a5

    • SHA256

      8e253716ab5ef33e07f2a2b922d2d820e84f2bdfa714e20601892baebddb2783

    • SHA512

      76b4fc960c44b79187cd49417b77964d0366693efb6e15eb00d4a1befe380886d8a3b979496fe0f180432d670f9cecf28fd4e7d16a87ef7810cf1ba4afca8d45

    • SSDEEP

      24576:7BgymA1F+WX8vXluMPVlj+ngLNwTmJM8Db5iivU:Z1p8ASUmS8ZY

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks