Extracted

• • Target

    a377b3a16409fd5a0b6a5d5c9e01252d_JaffaCakes118

  • Size

    784KB

  • MD5

    a377b3a16409fd5a0b6a5d5c9e01252d

  • SHA1

    901b9c7b242cad1b5c9c7628f5e6df6dfe96308e

  • SHA256

    15d2c33c412f6751227856f7c8a887c9c5dcb905efdc4cbf9dc2e19a80bbd657

  • SHA512

    f797ab136bcd70996f79a82c0042f9f5d4bf2d0e90ee56a504c99f70eda55a9f0fb0944e35cb3e92deeab90f25eede7e10684d459bb952978b3c1225b1a27e61

  • SSDEEP

    24576:d9gGLm4ki3pnf325Mm+gdnywb1QIbG9g+9fm:dqN4Jnf3dQHS6

  Score

  10^/10

  darkcometlatentbotdiscoverypersistencerattrojan

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot

  • Modifies WinLogon for persistence

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2