Extracted

• • Target

    689d3b376444629b2db7f4f4bbf194b0_JaffaCakes118

  • Size

    601KB

  • MD5

    689d3b376444629b2db7f4f4bbf194b0

  • SHA1

    89361e65979066937b7d24720ac8e5a107cfc60e

  • SHA256

    57e57b8eefd5a9f717396871df8bb5572ec6b94ab0985a551c838414317bebda

  • SHA512

    94831e1a8625c8c11ff30a68870ddea0a71dcfbf1667939b12f6432ec0dfd66a609a51dd5008e15a381bc4632bb6940ed85abdcea48e505b5f78cb20ba8c9c61

  • SSDEEP

    12288:v6Wq4aaE6KwyF5L0Y2D1PqL2OlxFzU+RaO0kxDRu0h1nGiJdZttE37U6I:tthEVaPqL2OlXPfLNhPGgdleI

  Score

  10^/10

  darkcometguest16discoveryevasionpersistencerattrojanupx

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    evasion

  • Modifies security service

    evasion

  • Windows security bypass

    evasiontrojan

  • Disables RegEdit via registry modification

    evasion

  • Disables Task Manager via registry modification

    evasion

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  behavioral1behavioral2