Extracted

Extracted

• • Target

    aa3f376ee6d85e33aa791291895177c9_JaffaCakes118

  • Size

    742KB

  • MD5

    aa3f376ee6d85e33aa791291895177c9

  • SHA1

    ff86f021ea787521055a4d0d807860c9747dfef3

  • SHA256

    79ad7b5c345b6afa3bc8eda6a651dcb3f09baec5aa0878b438fc57d7f5927902

  • SHA512

    a79e33ce2a7f50d728a39da040bd6e6f32010ecca7e563ffda7160ab079410aa3630e260f62826aa0112de4a442488acc19a182fd2f5afdfbec3f8ee7a65ae93

  • SSDEEP

    12288:bXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Uq:DnAw2WWeFcfbP9VPSPMTSPL/rWvzq4J6

  Score

  10^/10

  darkcometlatentbotvictimdiscoveryevasionpersistencerattrojan

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    evasion

  • Modifies security service

    evasion

  • Windows security bypass

    evasiontrojan

  • Disables RegEdit via registry modification

    evasion

  • Disables Task Manager via registry modification

    evasion

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2