General
-
Target
e4c92e4190580442c367f8a3f7ba0cbf_JaffaCakes118
-
Size
504KB
-
Sample
241212-fke66s1nhw
-
MD5
e4c92e4190580442c367f8a3f7ba0cbf
-
SHA1
875f9d4228cbc657a275a8e1d38ea8e9f25b692c
-
SHA256
864ca9e668afd622aa7e36429fec7a85cdaafd1045e1a1ad85c43e4f8ce9f84c
-
SHA512
23f71d872fde0f01b0d8bc9ddbcb96a08f1c121eae0b6060fb756632143e145ece16b00cff6e544429b3455a34d71435251399ee8b54c83c23b72719ceddfdc8
-
SSDEEP
12288:NUIENsXWcNWxQA5II7X6Ag8vC5euujNBq0FaiCGMRBLMj:NU+XWcN6+I7X6AgFeuuBw0EZo
Static task
static1
Behavioral task
behavioral1
Sample
e4c92e4190580442c367f8a3f7ba0cbf_JaffaCakes118.exe
Resource
win7-20240903-en
Malware Config
Extracted
darkcomet
fa
mahmodemos.no-ip.org:1604
DC_MUTEX-6ZSL9GY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
60BQkPtZSaCq
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
e4c92e4190580442c367f8a3f7ba0cbf_JaffaCakes118
-
Size
504KB
-
MD5
e4c92e4190580442c367f8a3f7ba0cbf
-
SHA1
875f9d4228cbc657a275a8e1d38ea8e9f25b692c
-
SHA256
864ca9e668afd622aa7e36429fec7a85cdaafd1045e1a1ad85c43e4f8ce9f84c
-
SHA512
23f71d872fde0f01b0d8bc9ddbcb96a08f1c121eae0b6060fb756632143e145ece16b00cff6e544429b3455a34d71435251399ee8b54c83c23b72719ceddfdc8
-
SSDEEP
12288:NUIENsXWcNWxQA5II7X6Ag8vC5euujNBq0FaiCGMRBLMj:NU+XWcN6+I7X6AgFeuuBw0EZo
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1