General

  • Target

    db07283ed9a188cb4dcbb547640c5be8_JaffaCakes118

  • Size

    834KB

  • Sample

    241209-xfn2ysxkew

  • MD5

    db07283ed9a188cb4dcbb547640c5be8

  • SHA1

    73757d07906e2452dc1763d68f861ab95fbc4373

  • SHA256

    bae611e78d2f69be840277103a759ba79a293c1d9ecf2d17970f55c185fb490d

  • SHA512

    687d5b3e154ed7e386aa6d7d84f57c56d1a2b0e438453dd1cbe20c3f02185a797a3de95e167f56bb78d96fa39b95038c0272cc9f3b67a08c08728649cd791096

  • SSDEEP

    12288:y3IELNe333N+b1aheOgYGhlaQrMKFXUNy/BYqSfpzjoxuM2Lt1ZzB6vd:y3IEJe3N+BaMOEwRKtUwpSBzuMJLMl

Malware Config

Targets

    • Target

      db07283ed9a188cb4dcbb547640c5be8_JaffaCakes118

    • Size

      834KB

    • MD5

      db07283ed9a188cb4dcbb547640c5be8

    • SHA1

      73757d07906e2452dc1763d68f861ab95fbc4373

    • SHA256

      bae611e78d2f69be840277103a759ba79a293c1d9ecf2d17970f55c185fb490d

    • SHA512

      687d5b3e154ed7e386aa6d7d84f57c56d1a2b0e438453dd1cbe20c3f02185a797a3de95e167f56bb78d96fa39b95038c0272cc9f3b67a08c08728649cd791096

    • SSDEEP

      12288:y3IELNe333N+b1aheOgYGhlaQrMKFXUNy/BYqSfpzjoxuM2Lt1ZzB6vd:y3IEJe3N+BaMOEwRKtUwpSBzuMJLMl

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks