Extracted

• • Target

    06a15ab711359ca5c66335039793daaf_JaffaCakes118

  • Size

    770KB

  • MD5

    06a15ab711359ca5c66335039793daaf

  • SHA1

    95bd3194b060bc8e775e5bc0a76bc6dc0094a70b

  • SHA256

    f51a0aa16b0a033eaeb45e5bbea6b492b499a0af1404309882f333f18f4e890a

  • SHA512

    925fe2815b0ff212a26b1d1e63de27c44f83069c9a8b3643f114c28b9b6764ca867e5039324ca92174730f777dcd75e5f4f43b13583ff8ad599fbe810a58f998

  • SSDEEP

    12288:P9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/B:5Z1xuVVjfFoynPaVBUR8f+kN10EdB

  Score

  10^/10

  darkcometguest16discoveryevasionpersistencerattrojanandromedabackdoorbotnet

  • Andromeda family

    andromeda

  • Andromeda, Gamarue

    Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

    botnetbackdoorandromeda

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Detects Andromeda payload.

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    evasion

  • Modifies security service

    evasion

  • Windows security bypass

    evasiontrojan

  • Adds policy Run key to start application

    persistence

  • Disables RegEdit via registry modification

    evasion

  • Disables Task Manager via registry modification

    evasion

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2