General

  • Target

    dc27eceaf210841183bb41d174d82703_JaffaCakes118

  • Size

    806KB

  • Sample

    241210-alcjsawqey

  • MD5

    dc27eceaf210841183bb41d174d82703

  • SHA1

    3168822dae81eec0db1717de9eaeb8b815342b39

  • SHA256

    57a1236800a5aed6cb19fdbacddf7690879e7089a3a4e53e69914a881deeee9d

  • SHA512

    42bfb70ce62522e95e9c3c1a6cd6e1488d7044a94a017ae4bd1ed6ba7e3858f987a4d48bb40f412501918639b83c14e9544a8acceb7fb7eda377e8a4d8b582a2

  • SSDEEP

    12288:vYUAPSGPXu8BFlemZpYZ0RKYrb/FGLzj2Ev7CQGuXMgpTYnsqhAiuwW:mSSuO1MZ0B/F4muXbpE+tr

Malware Config

Targets

    • Target

      dc27eceaf210841183bb41d174d82703_JaffaCakes118

    • Size

      806KB

    • MD5

      dc27eceaf210841183bb41d174d82703

    • SHA1

      3168822dae81eec0db1717de9eaeb8b815342b39

    • SHA256

      57a1236800a5aed6cb19fdbacddf7690879e7089a3a4e53e69914a881deeee9d

    • SHA512

      42bfb70ce62522e95e9c3c1a6cd6e1488d7044a94a017ae4bd1ed6ba7e3858f987a4d48bb40f412501918639b83c14e9544a8acceb7fb7eda377e8a4d8b582a2

    • SSDEEP

      12288:vYUAPSGPXu8BFlemZpYZ0RKYrb/FGLzj2Ev7CQGuXMgpTYnsqhAiuwW:mSSuO1MZ0B/F4muXbpE+tr

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks