General

  • Target

    d96023ce08d8f5d04c03894590a875f6_JaffaCakes118

  • Size

    844KB

  • Sample

    241209-nh1zvszraq

  • MD5

    d96023ce08d8f5d04c03894590a875f6

  • SHA1

    8948692a05894b3fe30ca91ec7f9a072e7e2b9d6

  • SHA256

    0af2f11e9509185513d5ebb4204399908329333704b4e9f59d094876bdda0da3

  • SHA512

    b7ac975c50c363938675419703d91328af68ec6276b970a568b54a83895aeb57403fbc3a9268a36f340c8f2b266001433f41f01241ec4b16db9e46621a213f30

  • SSDEEP

    12288:WZ0mSDkoeHJosIf5+xtQnyRLe6c0IxR0sOZWPfGVxVski6G27akR:ek9gIHkLTOv0sTnuVskF79R

Malware Config

Targets

    • Target

      d96023ce08d8f5d04c03894590a875f6_JaffaCakes118

    • Size

      844KB

    • MD5

      d96023ce08d8f5d04c03894590a875f6

    • SHA1

      8948692a05894b3fe30ca91ec7f9a072e7e2b9d6

    • SHA256

      0af2f11e9509185513d5ebb4204399908329333704b4e9f59d094876bdda0da3

    • SHA512

      b7ac975c50c363938675419703d91328af68ec6276b970a568b54a83895aeb57403fbc3a9268a36f340c8f2b266001433f41f01241ec4b16db9e46621a213f30

    • SSDEEP

      12288:WZ0mSDkoeHJosIf5+xtQnyRLe6c0IxR0sOZWPfGVxVski6G27akR:ek9gIHkLTOv0sTnuVskF79R

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks