General

  • Target

    f39ddcb42f54dbd955b798ed1bb3379a_JaffaCakes118

  • Size

    340KB

  • Sample

    241215-mpzvps1pgx

  • MD5

    f39ddcb42f54dbd955b798ed1bb3379a

  • SHA1

    82afa930f6049202cc7e26dc460492d54319520f

  • SHA256

    303cfc0ae7efa5ca9e83da9e2ff453d789b6c145ab20c3295a8b80897926ba0b

  • SHA512

    c2dc6bdf5e2b1dd7a24d49416a3ad7fbed1e630e159412cf85be473b4ded923da443524401e01d0793603659572ae348ee369bce21deb4efaec9f01ece83a823

  • SSDEEP

    6144:gLR3lJlRmxtpBIUNQcocN6YnYkWm6W/jnL3BfDvOzOHOfbYcrRbfDvOHzqFr/bfv:ER1JlUxtpBIUNQcocN5nYkp7/jnL3BfU

Malware Config

Targets

    • Target

      f39ddcb42f54dbd955b798ed1bb3379a_JaffaCakes118

    • Size

      340KB

    • MD5

      f39ddcb42f54dbd955b798ed1bb3379a

    • SHA1

      82afa930f6049202cc7e26dc460492d54319520f

    • SHA256

      303cfc0ae7efa5ca9e83da9e2ff453d789b6c145ab20c3295a8b80897926ba0b

    • SHA512

      c2dc6bdf5e2b1dd7a24d49416a3ad7fbed1e630e159412cf85be473b4ded923da443524401e01d0793603659572ae348ee369bce21deb4efaec9f01ece83a823

    • SSDEEP

      6144:gLR3lJlRmxtpBIUNQcocN6YnYkWm6W/jnL3BfDvOzOHOfbYcrRbfDvOHzqFr/bfv:ER1JlUxtpBIUNQcocN5nYkp7/jnL3BfU

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Windows security bypass

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks