General

  • Target

    d7456007a18e3ef753d878fd4b609738_JaffaCakes118

  • Size

    1.2MB

  • Sample

    241208-qpsm6szkhm

  • MD5

    d7456007a18e3ef753d878fd4b609738

  • SHA1

    81943936080b6eee006281d7bb00a4ba071758ba

  • SHA256

    32bf0fadc0f91e74293232f370828869df6ba1c1ce27473874eb67451bddd696

  • SHA512

    d8ba24c51e57ce0cc8dadd97beb9c3edbd0cc001ace33a46b43992bd63c688f92bdb7c553c5b2b70ee647874cfc2bded0ea75649eb4d324f980f8dd589dd8666

  • SSDEEP

    24576:Rg8fQRCIOE7SUI0Pz1Xd8wENGS7H/GTf3tj4aZBbIUpbT:+yQRLOQ7p5Xd8weJ/Ulj4aZFIUpv

Malware Config

Targets

    • Target

      d7456007a18e3ef753d878fd4b609738_JaffaCakes118

    • Size

      1.2MB

    • MD5

      d7456007a18e3ef753d878fd4b609738

    • SHA1

      81943936080b6eee006281d7bb00a4ba071758ba

    • SHA256

      32bf0fadc0f91e74293232f370828869df6ba1c1ce27473874eb67451bddd696

    • SHA512

      d8ba24c51e57ce0cc8dadd97beb9c3edbd0cc001ace33a46b43992bd63c688f92bdb7c553c5b2b70ee647874cfc2bded0ea75649eb4d324f980f8dd589dd8666

    • SSDEEP

      24576:Rg8fQRCIOE7SUI0Pz1Xd8wENGS7H/GTf3tj4aZBbIUpbT:+yQRLOQ7p5Xd8weJ/Ulj4aZFIUpv

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • UAC bypass

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Disables RegEdit via registry modification

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks