General
-
Target
f9fa90288430f91833addc4ce54347a0_JaffaCakes118
-
Size
328KB
-
Sample
241218-ednpastjhp
-
MD5
f9fa90288430f91833addc4ce54347a0
-
SHA1
492120ab7a0645c6d742acb56d303999c008c475
-
SHA256
66bf652ccd1e570c51dd1d869074823875694d1e57ab4ee6ed3da18135e3ace7
-
SHA512
65e934356c43bd2518fbf51c9ff9f15a502332984d2d41feef62576e2a29e8d4d21eb4180d3c15aa96ab199f38e3f78204ffbfd62f4a4a5cfd9a286833ed7632
-
SSDEEP
6144:zmyc5Y52bekxSO8y9GsfGU3gLahNiKZWAqfuexh9rYsWP89O1:zm+on9bfVhNQAwxjWP8Q1
Static task
static1
Behavioral task
behavioral1
Sample
f9fa90288430f91833addc4ce54347a0_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f9fa90288430f91833addc4ce54347a0_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
darkcomet
S4League hacked
127.0.0.1:1604
81.14.31.39:1604
darkhackgael.no-ip.info:1604
DC_MUTEX-VY74S8K
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
S2kPWNi5ysCM
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
f9fa90288430f91833addc4ce54347a0_JaffaCakes118
-
Size
328KB
-
MD5
f9fa90288430f91833addc4ce54347a0
-
SHA1
492120ab7a0645c6d742acb56d303999c008c475
-
SHA256
66bf652ccd1e570c51dd1d869074823875694d1e57ab4ee6ed3da18135e3ace7
-
SHA512
65e934356c43bd2518fbf51c9ff9f15a502332984d2d41feef62576e2a29e8d4d21eb4180d3c15aa96ab199f38e3f78204ffbfd62f4a4a5cfd9a286833ed7632
-
SSDEEP
6144:zmyc5Y52bekxSO8y9GsfGU3gLahNiKZWAqfuexh9rYsWP89O1:zm+on9bfVhNQAwxjWP8Q1
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-