General

  • Target

    f41ef2560568dbf67275f96faf20091f_JaffaCakes118

  • Size

    1.1MB

  • Sample

    241215-p8qggswqbm

  • MD5

    f41ef2560568dbf67275f96faf20091f

  • SHA1

    4c14b89ad8e17a2122f4e75e25b4aff1402d7a6c

  • SHA256

    e4165826c92dbf49de83364b1e148d71e56b3fa286ece7c666c4f375291ba2ae

  • SHA512

    f91835fef1fe879f0f4e6046a89660d7b675d4a37156ecf6e0983fb145587bf3ef331267e8be7f6eae49259c23daafbc89a35dd5b15925460934a278a0b38626

  • SSDEEP

    24576:GdlOOwjvfY1jXUJt/tn5qA8ls+F3TFcm7zDYvmVPflzaWH3IfUhlk/:GbwjnOXuFn5qhls+JTFb7BXlmWH34Uhy

Malware Config

Targets

    • Target

      f41ef2560568dbf67275f96faf20091f_JaffaCakes118

    • Size

      1.1MB

    • MD5

      f41ef2560568dbf67275f96faf20091f

    • SHA1

      4c14b89ad8e17a2122f4e75e25b4aff1402d7a6c

    • SHA256

      e4165826c92dbf49de83364b1e148d71e56b3fa286ece7c666c4f375291ba2ae

    • SHA512

      f91835fef1fe879f0f4e6046a89660d7b675d4a37156ecf6e0983fb145587bf3ef331267e8be7f6eae49259c23daafbc89a35dd5b15925460934a278a0b38626

    • SSDEEP

      24576:GdlOOwjvfY1jXUJt/tn5qA8ls+F3TFcm7zDYvmVPflzaWH3IfUhlk/:GbwjnOXuFn5qhls+JTFb7BXlmWH34Uhy

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks