General
-
Target
e5b1bb3bb10e1870f622cbc5a49e1e9f_JaffaCakes118
-
Size
676KB
-
Sample
241212-k8hz7a1ral
-
MD5
e5b1bb3bb10e1870f622cbc5a49e1e9f
-
SHA1
77ace91242caaafebb4478068d064d3cb98f72a5
-
SHA256
dff1fdf57e443884f73c50c7c3d285e6b752fa923a3601daa3c1ce63331ce4f2
-
SHA512
a970b3b3625a3385cb0df70fa3b31b383dcc8efdccb9e47f595c9eec1ea87c1817a1fca2f4a9d62a1ef2bccf7031706e7c8935ba81c20d9c7a60ee7691cfde05
-
SSDEEP
12288:cWRSJugNlxv0W3ZUwbqwpXbtL8LLtBYKuFewpncaXn3IWeK4DYrwjWK8hR/JSUSc:pQcgNTv0CUwbhtLuLYtFFJNeDErdh0Nu
Static task
static1
Behavioral task
behavioral1
Sample
e5b1bb3bb10e1870f622cbc5a49e1e9f_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e5b1bb3bb10e1870f622cbc5a49e1e9f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
darkcomet
24/12/2012 1604
158.255.215.83:1700
DC_MUTEX-YEWS2Q4
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
3xmvFz3cURTB
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
e5b1bb3bb10e1870f622cbc5a49e1e9f_JaffaCakes118
-
Size
676KB
-
MD5
e5b1bb3bb10e1870f622cbc5a49e1e9f
-
SHA1
77ace91242caaafebb4478068d064d3cb98f72a5
-
SHA256
dff1fdf57e443884f73c50c7c3d285e6b752fa923a3601daa3c1ce63331ce4f2
-
SHA512
a970b3b3625a3385cb0df70fa3b31b383dcc8efdccb9e47f595c9eec1ea87c1817a1fca2f4a9d62a1ef2bccf7031706e7c8935ba81c20d9c7a60ee7691cfde05
-
SSDEEP
12288:cWRSJugNlxv0W3ZUwbqwpXbtL8LLtBYKuFewpncaXn3IWeK4DYrwjWK8hR/JSUSc:pQcgNTv0CUwbhtLuLYtFFJNeDErdh0Nu
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1