General
-
Target
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118
-
Size
1.1MB
-
Sample
240802-dy5ymstckk
-
MD5
82dc3548b3bdb2f5ac595a7b10a686b5
-
SHA1
2fd25bcfb3440d3d9b55e20a6f272def0644fc9e
-
SHA256
a594312bae733f5b364d85bbb4116a31d5a40617b1e1487a4f1243cc6e15375d
-
SHA512
82fe8bca701a04baaf577f70aea7e0fdbf13af4ddbf1422c0a75bba06aaf0e4a9f651e0dc7752326b9a792f53c648a119156467d9b3d3c8c7f1c4d296be10f6d
-
SSDEEP
24576:pNh+giDWlMUKfb3QUi1Cqn21DEEZ6yh0u:pn+giEMr8UXsQQEJX
Static task
static1
Behavioral task
behavioral1
Sample
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe
Resource
win7-20240729-en
Malware Config
Extracted
darkcomet
Guest16
yesyoa.no-ip.biz:1337
DC_MUTEX-F54S21D
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
MlumXEwFRnE1
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118
-
Size
1.1MB
-
MD5
82dc3548b3bdb2f5ac595a7b10a686b5
-
SHA1
2fd25bcfb3440d3d9b55e20a6f272def0644fc9e
-
SHA256
a594312bae733f5b364d85bbb4116a31d5a40617b1e1487a4f1243cc6e15375d
-
SHA512
82fe8bca701a04baaf577f70aea7e0fdbf13af4ddbf1422c0a75bba06aaf0e4a9f651e0dc7752326b9a792f53c648a119156467d9b3d3c8c7f1c4d296be10f6d
-
SSDEEP
24576:pNh+giDWlMUKfb3QUi1Cqn21DEEZ6yh0u:pn+giEMr8UXsQQEJX
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1