General

  • Target

    f9ebb626e7cb5645d28d3afdd60f15a0_JaffaCakes118

  • Size

    5.7MB

  • Sample

    241218-d2kf4s1maz

  • MD5

    f9ebb626e7cb5645d28d3afdd60f15a0

  • SHA1

    fcbb902aba8354d948a6b956a6af8af9bcadb604

  • SHA256

    bd71d73f17ee2d2c8e8344a1ee79af3d0d8df501edc46704bfdd9bc674e0e3a0

  • SHA512

    1fab663d58817042f3de93191b1751e1aa212c7928618a10e13cd5a1a8fa08a299cec2ae9639201033e127cb1e2d0b6ec3c68f6b9a3503d5e9b37ffb01d9c434

  • SSDEEP

    12288:DN/ihOYTMXypyrfSN3guZfR7nGHOKZmPLnvLn73m8L/yrfimxItJGkg7SDuw0YoS:R6hN4XypEfogGTtaLSywpYDvERFR3mnm

Malware Config

Targets

    • Target

      f9ebb626e7cb5645d28d3afdd60f15a0_JaffaCakes118

    • Size

      5.7MB

    • MD5

      f9ebb626e7cb5645d28d3afdd60f15a0

    • SHA1

      fcbb902aba8354d948a6b956a6af8af9bcadb604

    • SHA256

      bd71d73f17ee2d2c8e8344a1ee79af3d0d8df501edc46704bfdd9bc674e0e3a0

    • SHA512

      1fab663d58817042f3de93191b1751e1aa212c7928618a10e13cd5a1a8fa08a299cec2ae9639201033e127cb1e2d0b6ec3c68f6b9a3503d5e9b37ffb01d9c434

    • SSDEEP

      12288:DN/ihOYTMXypyrfSN3guZfR7nGHOKZmPLnvLn73m8L/yrfimxItJGkg7SDuw0YoS:R6hN4XypEfogGTtaLSywpYDvERFR3mnm

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks