General
-
Target
6b18a6b20832fb7929ccb4b3043f3218_JaffaCakes118
-
Size
964KB
-
Sample
240724-lk5dyssbme
-
MD5
6b18a6b20832fb7929ccb4b3043f3218
-
SHA1
6f35aca55396af3e9f8e6939c4ee1bfb3f5bc69a
-
SHA256
70635ba75fdb495bb4c0209f26176f0c0d40fd294c8b39898f18742f2e55ce20
-
SHA512
f69815bc4bead7481be0ecaa43eb53b32c26a5502e40f4b3f68789534cf501246528a35e86bf3b092aed4864691192527414c7c949327c7610e1659377b230f9
-
SSDEEP
24576:CMFvr6fMVQXwU23E/0iprDKUHSIHzOIfbfxRwv6lRu9xitRHsn:CMFO+QXwb3xGmDIHzOIfjblRuCto
Static task
static1
Behavioral task
behavioral1
Sample
6b18a6b20832fb7929ccb4b3043f3218_JaffaCakes118.exe
Resource
win7-20240705-en
Malware Config
Extracted
darkcomet
Guest16
84.72.27.213:1604
DC_MUTEX-3WNETRQ
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
RJVLW58TNDYF
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
6b18a6b20832fb7929ccb4b3043f3218_JaffaCakes118
-
Size
964KB
-
MD5
6b18a6b20832fb7929ccb4b3043f3218
-
SHA1
6f35aca55396af3e9f8e6939c4ee1bfb3f5bc69a
-
SHA256
70635ba75fdb495bb4c0209f26176f0c0d40fd294c8b39898f18742f2e55ce20
-
SHA512
f69815bc4bead7481be0ecaa43eb53b32c26a5502e40f4b3f68789534cf501246528a35e86bf3b092aed4864691192527414c7c949327c7610e1659377b230f9
-
SSDEEP
24576:CMFvr6fMVQXwU23E/0iprDKUHSIHzOIfbfxRwv6lRu9xitRHsn:CMFO+QXwb3xGmDIHzOIfjblRuCto
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1