Extracted

• • Target

    4dbad88c8499d5b107f0fb03db52d51a_JaffaCakes118

  • Size

    538KB

  • MD5

    4dbad88c8499d5b107f0fb03db52d51a

  • SHA1

    c90ea6bfa776801348deb9e12737d4bfdd2874ba

  • SHA256

    a143da5677db0949f56555e84e1a1f03a17ea7319b4b6c56abbac36b7f0abf67

  • SHA512

    b8b694ce0f28d2c80f0b98236ff3562b332d3acb256e51f86f1fb34948fb236bab529388409687bb67bac66e91ac9b6f25056d2c3cd2e76a1ed8445d2a603899

  • SSDEEP

    12288:eh2iNyOcF4Xb8oVDdRCWIEYHTnlSZzAj6Ii+YGo:eh/w4r8B6YzlxOI

  Score

  10^/10

  darkcometnormaldiscoveryevasionpersistencerattrojanupx

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Modifies WinLogon for persistence

    persistence

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2