General

  • Target

    da40abfe812dcf74965ecfc4d688d67a_JaffaCakes118

  • Size

    955KB

  • Sample

    241209-snbdls1rh1

  • MD5

    da40abfe812dcf74965ecfc4d688d67a

  • SHA1

    4073a034c0a114499088d38f4bc58cee43aa4d64

  • SHA256

    300b2870be148cdec74fa42544a6669f7edc2e3cd6269f067fb5129e8f55f20c

  • SHA512

    c00219f7e3d4cedaa770874c04d80895f922d1bb4eeb0a9f7f5d4b683d518677a0329b4650df20b63676bacd2bbbe0057cdf274f436cc0ca7aa1589013f6d14b

  • SSDEEP

    24576:AH+T6Uv2llHQzol2mufQdiXOzZFLraCP0zxVF4:C+uDllwngzZNaOmxr4

Malware Config

Targets

    • Target

      GOlfito.exe

    • Size

      1.2MB

    • MD5

      3bf77085d3cc3631dd2a29770f4d844e

    • SHA1

      6049321e1ccb8d594ed3a9db7740b2aef1b0bed3

    • SHA256

      ce26affefbe19a456afd7df6ebae922bc6d295195746130d32d7705a2954bb1b

    • SHA512

      ccd7b8d07e41901b440e71bbf94c7ea2ebff3e0ab8b6b2406abede0b10acb57247fe5bd5af3b6bc1b8780a5f406434256bdef1766eade339a66b135e62159518

    • SSDEEP

      24576:gHXBnBDLfLLK6Imt5SVxQRq1uGNmZ4sZPoy/yTL5Wdju7VuafQl5s4Uapw:gHRnxLfL2bmtQVxQM1uSaOBZ25s4UaG

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies security service

    • Windows security bypass

    • Disables Task Manager via registry modification

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks