Extracted

• • Target

    bd67d22cadfe66ca3f914e4702a437b5_JaffaCakes118

  • Size

    699KB

  • MD5

    bd67d22cadfe66ca3f914e4702a437b5

  • SHA1

    42e36f5b1e9a116c1a9ae6c740186fb7606c63da

  • SHA256

    889d0c285c75bd93dd27109f019888e188996edcb4760ab9703627a1d341de5a

  • SHA512

    1bb588877eb9161efe5e409d7dc1347ecf69e15812d1c9309d29d196acfd11fd08b0348af61b05efc1728b535f0bca5a03fd97b37b9733ce7ef571ba6090826f

  • SSDEEP

    12288:S26g9e3ai37SzggkWClfOV8ef2h/8C+QISVBy4iKFRUX6YfllbSpbIwyg7X1UKCh:S26g4qi37SzgpWClfOhf298C+QISVByd

  Score

  10^/10

  darkcometguest16discoveryevasionpersistencerattrojan

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Modifies WinLogon for persistence

    persistence

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2