General

  • Target

    e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118

  • Size

    719KB

  • Sample

    241212-g4tdksxmgk

  • MD5

    e516dbf12f1aa8136f1b3463f544191c

  • SHA1

    544c5c5e5f867354509f1f4b072e487a7f3198a9

  • SHA256

    497d9334bc0bbbbc975d0d5bce327738f9ac23dc65b9599655217d2c3c0a9149

  • SHA512

    a50028c75acd2df3848a673f7c44b77679fb0dc811edfa99674992915fb6e0518e4388f8d283622063db322fc93b26921068d279a546cdc7f1201328f6751311

  • SSDEEP

    12288:tpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIb:PwAcu99lPzvxP+Bsz2XjWTRMQckkIb

Malware Config

Targets

    • Target

      e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118

    • Size

      719KB

    • MD5

      e516dbf12f1aa8136f1b3463f544191c

    • SHA1

      544c5c5e5f867354509f1f4b072e487a7f3198a9

    • SHA256

      497d9334bc0bbbbc975d0d5bce327738f9ac23dc65b9599655217d2c3c0a9149

    • SHA512

      a50028c75acd2df3848a673f7c44b77679fb0dc811edfa99674992915fb6e0518e4388f8d283622063db322fc93b26921068d279a546cdc7f1201328f6751311

    • SSDEEP

      12288:tpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIb:PwAcu99lPzvxP+Bsz2XjWTRMQckkIb

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks