Extracted

• • Target

    111a0e25005a8f8ceb917a602717446e_JaffaCakes118

  • Size

    555KB

  • MD5

    111a0e25005a8f8ceb917a602717446e

  • SHA1

    67443662b53903d6040fd4c23996b7dbf1faea2b

  • SHA256

    65dfe1cfe57a4548bdb2c2c5c8008f4630bd8e8528569fb3d50214fe4e9dcc71

  • SHA512

    7ea31ea7e3e8f4f119014be3638926c87796e7ffb4b931c4c6f47eab00c9ff42b799602636590938a6d1b11d7be274677a57463080a4891ffa17bfdbfe4db513

  • SSDEEP

    12288:tZeVQkTrvj40RJEnIjH/S+wUpr9PLgKoy5MBg3kZezeQ7kSEsjfhNcMvm:twQkTf40XUMEUppPzoYzeQTrIqm

  Score

  10^/10

  darkcometlatentbotevasionpersistencerattrojanupx

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    evasion

  • Modifies security service

    evasion

  • Windows security bypass

    evasiontrojan

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2