General
-
Target
5f95af9cbc5a4d1705f7e9f17a7a34c4_JaffaCakes118
-
Size
252KB
-
Sample
240520-rwr6naef7y
-
MD5
5f95af9cbc5a4d1705f7e9f17a7a34c4
-
SHA1
93b0f593fd666c7e7bfcedc110a4f0654c8a0112
-
SHA256
e44ab9dcf709ae1194e77082424c26b38b8d810aef0d3208c8f58c2743bbde43
-
SHA512
c19dc5533f90cf596d7a47179e06a91cc04a5196075a9e2c84bfbb659258f5b0c92f174939283bf89cdb1b358bcf44c7e963301278d9409db8b6c2234ec8db84
-
SSDEEP
6144:6cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37eSGDY:6cW7KEZlPzCy37XG
Behavioral task
behavioral1
Sample
5f95af9cbc5a4d1705f7e9f17a7a34c4_JaffaCakes118.exe
Resource
win7-20240508-en
Malware Config
Extracted
darkcomet
Guest16
gem0t0gen10.ddns.net:1605
DC_MUTEX-SWM65EH
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
nVQjaDV6ixEf
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
5f95af9cbc5a4d1705f7e9f17a7a34c4_JaffaCakes118
-
Size
252KB
-
MD5
5f95af9cbc5a4d1705f7e9f17a7a34c4
-
SHA1
93b0f593fd666c7e7bfcedc110a4f0654c8a0112
-
SHA256
e44ab9dcf709ae1194e77082424c26b38b8d810aef0d3208c8f58c2743bbde43
-
SHA512
c19dc5533f90cf596d7a47179e06a91cc04a5196075a9e2c84bfbb659258f5b0c92f174939283bf89cdb1b358bcf44c7e963301278d9409db8b6c2234ec8db84
-
SSDEEP
6144:6cNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37eSGDY:6cW7KEZlPzCy37XG
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2