General
-
Target
JaffaCakes118_6ec2be88419a7a21ae7267bac9dcd84d
-
Size
733KB
-
Sample
250103-xgkqxsxphs
-
MD5
6ec2be88419a7a21ae7267bac9dcd84d
-
SHA1
7200e1b2f7949b8db675dd86a7f69252add731ce
-
SHA256
92ac4c9a8450b75edb5c0cc61f690d65da34ad347a4f313d2334b602f4f0d9b2
-
SHA512
4d1091ba2b63ee96b22a02dcb8e47f6fc51f1443146ef77795cb0b7f6d7a83cadb712309078d7a0ca84cd87614dd0853d49f60d10877c56b50aa34e8d2a560f9
-
SSDEEP
12288:dpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/:fwAcu99lPzvxP+Bsz2XjWTRMQckkIXn
Malware Config
Targets
-
-
Target
JaffaCakes118_6ec2be88419a7a21ae7267bac9dcd84d
-
Size
733KB
-
MD5
6ec2be88419a7a21ae7267bac9dcd84d
-
SHA1
7200e1b2f7949b8db675dd86a7f69252add731ce
-
SHA256
92ac4c9a8450b75edb5c0cc61f690d65da34ad347a4f313d2334b602f4f0d9b2
-
SHA512
4d1091ba2b63ee96b22a02dcb8e47f6fc51f1443146ef77795cb0b7f6d7a83cadb712309078d7a0ca84cd87614dd0853d49f60d10877c56b50aa34e8d2a560f9
-
SSDEEP
12288:dpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/:fwAcu99lPzvxP+Bsz2XjWTRMQckkIXn
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1