Extracted

• • Target

    5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118

  • Size

    4.5MB

  • MD5

    5853b884a32eb9e9503eac435ee36ecf

  • SHA1

    191d500dbf1f089a0ad2c8f1221bffd4ca10ce76

  • SHA256

    217258eb9bcbf4c2ee3667e17a79327cfd33698335fccd94300c6789dbb47c54

  • SHA512

    076c51793de919f402fbe9345fbca2fb2b6a2ef2aff9d91242953df0e4bbcac5f85b290969ed81e941f1d0677a137eba7dd7406b225676adf939cdc264dbb57c

  • SSDEEP

    98304:ayE+lPT8meQ3pv6kTcKCR88WurxVs5QXjyT+oriOs7w29:ayvlAhO7eRpW9Adolup9

  Score

  10^/10

  darkcometventrilodiscoveryevasionpersistenceprivilege_escalationrattrojanupx

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Modifies WinLogon for persistence

    persistence

  • UAC bypass

    evasiontrojan

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2