General
-
Target
10ebd248f121a61518a8aeffa125e7b7_JaffaCakes118
-
Size
660KB
-
Sample
240626-ggtqts1dmj
-
MD5
10ebd248f121a61518a8aeffa125e7b7
-
SHA1
7d18da8d72bd9c5e33366ea9a54e56b42041e568
-
SHA256
71d8a7b8dddc55173689a9f090bf64d3eee60a74fe4d34592b319437ef928099
-
SHA512
52c1b7a39e35a3dc777533c1823511b92ef2cbf212a84ee025369e326f0f38298f6e3a4a3500289985a3e54779f9346263d55b8c9179dc1155c639db79b26d1c
-
SSDEEP
12288:MXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UO:anAw2WWeFcfbP9VPSPMTSPL/rWvzq4J+
Behavioral task
behavioral1
Sample
10ebd248f121a61518a8aeffa125e7b7_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
darkcomet
DarkComet
178.33.181.10:1604
DC_MUTEX-P3P2TTH
-
InstallPath
Windupdt\winupdate.exe
-
gencode
T5rJaLq4qNuE
-
install
true
-
offline_keylogger
true
-
password
lol1234
-
persistence
true
-
reg_key
winupdater
Targets
-
-
Target
10ebd248f121a61518a8aeffa125e7b7_JaffaCakes118
-
Size
660KB
-
MD5
10ebd248f121a61518a8aeffa125e7b7
-
SHA1
7d18da8d72bd9c5e33366ea9a54e56b42041e568
-
SHA256
71d8a7b8dddc55173689a9f090bf64d3eee60a74fe4d34592b319437ef928099
-
SHA512
52c1b7a39e35a3dc777533c1823511b92ef2cbf212a84ee025369e326f0f38298f6e3a4a3500289985a3e54779f9346263d55b8c9179dc1155c639db79b26d1c
-
SSDEEP
12288:MXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UO:anAw2WWeFcfbP9VPSPMTSPL/rWvzq4J+
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1