General

  • Target

    f1fba390156ecf5fd54a788ce6014017_JaffaCakes118

  • Size

    443KB

  • Sample

    241215-dj6avstpdr

  • MD5

    f1fba390156ecf5fd54a788ce6014017

  • SHA1

    52f0f84f2a3c3e749a748a2a3e5532eff7500463

  • SHA256

    f004d8af06d317be8c725af9f0a0b07ad8e7232da8d96d95e773b8e28e6acfec

  • SHA512

    b4c91fffcb0d88012799b6f880cfe2ee82b2a632cab0370285a6751b0df4ab3bbd67fa8c588689ab01f65250a9e45074ad7bb411ec5deee26e66eeac31ab041d

  • SSDEEP

    6144:0CJUBApDw9gDsBhMKA72UYI1W82cODU/3SZwmLRlHzX5ljFJlh2t:0ZBMDw9RBaKcXsinq/lZ32t

Malware Config

Targets

    • Target

      f1fba390156ecf5fd54a788ce6014017_JaffaCakes118

    • Size

      443KB

    • MD5

      f1fba390156ecf5fd54a788ce6014017

    • SHA1

      52f0f84f2a3c3e749a748a2a3e5532eff7500463

    • SHA256

      f004d8af06d317be8c725af9f0a0b07ad8e7232da8d96d95e773b8e28e6acfec

    • SHA512

      b4c91fffcb0d88012799b6f880cfe2ee82b2a632cab0370285a6751b0df4ab3bbd67fa8c588689ab01f65250a9e45074ad7bb411ec5deee26e66eeac31ab041d

    • SSDEEP

      6144:0CJUBApDw9gDsBhMKA72UYI1W82cODU/3SZwmLRlHzX5ljFJlh2t:0ZBMDw9RBaKcXsinq/lZ32t

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks