Extracted

• • Target

    934848d0db1061bcedac028bbdf3fcff_JaffaCakes118

  • Size

    1.8MB

  • MD5

    934848d0db1061bcedac028bbdf3fcff

  • SHA1

    7eae11e0aaa6a2bfefb37537c1f7df28f8043149

  • SHA256

    2ed7d9a7249ca29a607da1c1e2a91cb75f9e9c9c19a8f34fa02d15fdd565af06

  • SHA512

    6f4275d3828b40ce6629d4cbcf36ab44c953c91a131375cb591008fbde7840125366ccbd248738f1aa6ed31618f4ff45dc758d11a9564bb8cb611086ba58d853

  • SSDEEP

    24576:8Tv8IaE4o4xKc4dl/AjR5ZbfDWItOtqAK2MB/lAdizMzBIqjwoljui:Kv8I3pWF4D4HZv/4in/SizM7F

  Score

  10^/10

  darkcometisrstealersexy_dahcredential_accessdiscoveryevasionpersistenceratspywarestealertrojanupx

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer

  • ISR Stealer payload

  • Modifies WinLogon for persistence

    persistence

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2