General

  • Target

    f75078e54038127175a9427a97a7a18a_JaffaCakes118

  • Size

    1.9MB

  • Sample

    241216-e5fsrstray

  • MD5

    f75078e54038127175a9427a97a7a18a

  • SHA1

    a7d690faa893fdbd79d8090ffb23ef83941ee860

  • SHA256

    1ed406800fe84b02e902fe982675094fe87416d6d611f92da2fc335c626ebc9f

  • SHA512

    fe3a1be60f792d8d6a24738a305ce6000a8bde87226addc49ab31ed12bd7d36a202c040e6a528fc829bab40d9d2f709dd52fd92e15c476b03c42e9547e9b2e4a

  • SSDEEP

    49152:yAcIzpP+hickkI3deTXVkIVo0uYripj0:y3IzJFdtmZuoGA

Malware Config

Targets

    • Target

      f75078e54038127175a9427a97a7a18a_JaffaCakes118

    • Size

      1.9MB

    • MD5

      f75078e54038127175a9427a97a7a18a

    • SHA1

      a7d690faa893fdbd79d8090ffb23ef83941ee860

    • SHA256

      1ed406800fe84b02e902fe982675094fe87416d6d611f92da2fc335c626ebc9f

    • SHA512

      fe3a1be60f792d8d6a24738a305ce6000a8bde87226addc49ab31ed12bd7d36a202c040e6a528fc829bab40d9d2f709dd52fd92e15c476b03c42e9547e9b2e4a

    • SSDEEP

      49152:yAcIzpP+hickkI3deTXVkIVo0uYripj0:y3IzJFdtmZuoGA

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies security service

    • Disables Task Manager via registry modification

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks