General
-
Target
f402a16676631d77a2dcb8c046991f00_JaffaCakes118
-
Size
493KB
-
Sample
241215-pp85gstpgy
-
MD5
f402a16676631d77a2dcb8c046991f00
-
SHA1
48c4f74248ff71dbd31267da4104e9c892882a2c
-
SHA256
66590902797120864dbef0899092c139a15a2a0255864538c9af18df8f4881ca
-
SHA512
97c76ff7c67e514e236d61dd48cdf40053e7283fa918c96aee94d132061b6965f9f0977cf097a97170490995390f9b070fd66bf410561df98f91a1a978aaee3e
-
SSDEEP
12288:X+Xb/LLjHiVISC1ej9IC5Wh6o5SFMX9TLZebk/KH:XWvLjHlSCUtyRZi
Static task
static1
Behavioral task
behavioral1
Sample
f402a16676631d77a2dcb8c046991f00_JaffaCakes118.exe
Resource
win7-20240903-en
Malware Config
Extracted
darkcomet
Victim
kasual.no-ip.org:1604
DC_MUTEX-BJY9NCZ
-
InstallPath
bootmgr
-
gencode
NdSW8lmR1GU4
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
bootmgr
Targets
-
-
Target
f402a16676631d77a2dcb8c046991f00_JaffaCakes118
-
Size
493KB
-
MD5
f402a16676631d77a2dcb8c046991f00
-
SHA1
48c4f74248ff71dbd31267da4104e9c892882a2c
-
SHA256
66590902797120864dbef0899092c139a15a2a0255864538c9af18df8f4881ca
-
SHA512
97c76ff7c67e514e236d61dd48cdf40053e7283fa918c96aee94d132061b6965f9f0977cf097a97170490995390f9b070fd66bf410561df98f91a1a978aaee3e
-
SSDEEP
12288:X+Xb/LLjHiVISC1ej9IC5Wh6o5SFMX9TLZebk/KH:XWvLjHlSCUtyRZi
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Drops file in Drivers directory
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1