General
-
Target
e80e2e312ca2d56401c304ac6f7c4e4b_JaffaCakes118
-
Size
644KB
-
Sample
241212-ytv8vsxqdn
-
MD5
e80e2e312ca2d56401c304ac6f7c4e4b
-
SHA1
7969ab497fa1119c76f57ce084e331263160da15
-
SHA256
0eb94ab4ac84838292b2b94c020f4a75318d45f5dc39983e273a9cfbcf15678c
-
SHA512
d04662efd99d407bd6533126846fa79ef9a91109ae04df6d9a9d60f3497cf98b86870e04fb1546a1f26501b25c59d10d018122e191a076a95329201194bb4aed
-
SSDEEP
12288:hhWr1in8urT5cV4Xem4p1vESPAPB+kM1bkq:qQNTWfR/FOAk8t
Malware Config
Targets
-
-
Target
e80e2e312ca2d56401c304ac6f7c4e4b_JaffaCakes118
-
Size
644KB
-
MD5
e80e2e312ca2d56401c304ac6f7c4e4b
-
SHA1
7969ab497fa1119c76f57ce084e331263160da15
-
SHA256
0eb94ab4ac84838292b2b94c020f4a75318d45f5dc39983e273a9cfbcf15678c
-
SHA512
d04662efd99d407bd6533126846fa79ef9a91109ae04df6d9a9d60f3497cf98b86870e04fb1546a1f26501b25c59d10d018122e191a076a95329201194bb4aed
-
SSDEEP
12288:hhWr1in8urT5cV4Xem4p1vESPAPB+kM1bkq:qQNTWfR/FOAk8t
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies firewall policy service
-
Windows security bypass
-
Disables Task Manager via registry modification
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Windows security modification
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Network Share Discovery
Attempt to gather information on host network.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
3Pre-OS Boot
1Bootkit
1