General

  • Target

    d835c39082e0e5de09ff092a3d5a1e0a_JaffaCakes118

  • Size

    541KB

  • Sample

    241208-v4cmqazqcv

  • MD5

    d835c39082e0e5de09ff092a3d5a1e0a

  • SHA1

    9f515a5293a37e5b90342ef7b660fa5dee2d9518

  • SHA256

    0a43127615cb75db69dfbf202e22d33e7aced03c236a9dcc948ae3dd18fa8626

  • SHA512

    a5d17a922013c2df001dbdaccba49fb1a70aa2d711d2f695dabd6d31759eee35b579b02e4930367c6216d2da94c2cea75d0c63e3a6f2eaddf2823f2f5ec482f6

  • SSDEEP

    12288:YaNqMd0QZh9uEK/5P/EiKrbVVE2VihK/BBHY9sbzHLK:YED0QZh9ur4fc2Vik/Bl5zrK

Malware Config

Targets

    • Target

      d835c39082e0e5de09ff092a3d5a1e0a_JaffaCakes118

    • Size

      541KB

    • MD5

      d835c39082e0e5de09ff092a3d5a1e0a

    • SHA1

      9f515a5293a37e5b90342ef7b660fa5dee2d9518

    • SHA256

      0a43127615cb75db69dfbf202e22d33e7aced03c236a9dcc948ae3dd18fa8626

    • SHA512

      a5d17a922013c2df001dbdaccba49fb1a70aa2d711d2f695dabd6d31759eee35b579b02e4930367c6216d2da94c2cea75d0c63e3a6f2eaddf2823f2f5ec482f6

    • SSDEEP

      12288:YaNqMd0QZh9uEK/5P/EiKrbVVE2VihK/BBHY9sbzHLK:YED0QZh9ur4fc2Vik/Bl5zrK

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks