General

  • Target

    e8188f5de0f1e14162d22789c7ffddee_JaffaCakes118

  • Size

    711KB

  • Sample

    241212-y2al5ayjfq

  • MD5

    e8188f5de0f1e14162d22789c7ffddee

  • SHA1

    7d818e2ca53aa2703dea0b73b68573a6d936927a

  • SHA256

    7a5e59c86a8e8d7a86e14fc86a813df5226ad960b982a4dca6a9392c173e7e5d

  • SHA512

    760076d0441e6b508515aa38db5eaacc052cf46027cb14ac6e83318a21b1bbc72b3a66d8ecbdda94a400c1b733364f604f1879e528edf49d983b897a147d84b8

  • SSDEEP

    12288:3oClLpPncefwZpn5WSNWGSFQB5jf9yt0edyUQ9LAXQmcXYKvk/tajkl:3o8dcywZpn5WSNWGS23G8/8QJXYKvKZl

Malware Config

Targets

    • Target

      e8188f5de0f1e14162d22789c7ffddee_JaffaCakes118

    • Size

      711KB

    • MD5

      e8188f5de0f1e14162d22789c7ffddee

    • SHA1

      7d818e2ca53aa2703dea0b73b68573a6d936927a

    • SHA256

      7a5e59c86a8e8d7a86e14fc86a813df5226ad960b982a4dca6a9392c173e7e5d

    • SHA512

      760076d0441e6b508515aa38db5eaacc052cf46027cb14ac6e83318a21b1bbc72b3a66d8ecbdda94a400c1b733364f604f1879e528edf49d983b897a147d84b8

    • SSDEEP

      12288:3oClLpPncefwZpn5WSNWGSFQB5jf9yt0edyUQ9LAXQmcXYKvk/tajkl:3o8dcywZpn5WSNWGS23G8/8QJXYKvKZl

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Windows security bypass

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks