Extracted

• • Target

    JaffaCakes118_07aac523473ca66487a6e29cb3a8dfd1

  • Size

    249KB

  • MD5

    07aac523473ca66487a6e29cb3a8dfd1

  • SHA1

    f1c313bbba97d97cbcfc496b170ca112a9f08da1

  • SHA256

    13e7709b9c2f4754efb6e8a956cf810297b64bbd29959b8fa3d1adcca3c18590

  • SHA512

    5f1a630aaf54faad5db8883622b652ba3b7cd0c84507543dd8858ae00616f764522a927a05c66e8fdf13f7b0b6b6b929a047a4573b21cf0ba2dea51fabc5e1f0

  • SSDEEP

    6144:swT5O7pJmNB6dLY6dCnnsyZLHoaIyv6ocU/qxDS2xDWb3cw0O:sP+NULZdCn3TbncU2D7Ab3m

  Score

  10^/10

  darkcometguest16defense_evasiondiscoverypersistencerattrojanupx

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    defense_evasion

  • Modifies security service

    defense_evasion

  • Windows security bypass

    defense_evasiontrojan

  • Disables RegEdit via registry modification

    defense_evasion

  • Disables Task Manager via registry modification

    defense_evasion

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    defense_evasiontrojan

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2