Extracted

• • Target

    JaffaCakes118_106ba4150b011aaf40d8b947225e3f51

  • Size

    2.6MB

  • MD5

    106ba4150b011aaf40d8b947225e3f51

  • SHA1

    ffd99ea0c9478e060ae60faf1d4fbd7a88edaf9f

  • SHA256

    3f5e37013f992b218c16685e981bdba82886cd7f521ad2aff42a0a5a30579497

  • SHA512

    75c11bbf5742c9233431569e903b3f6e27b36bc690a146272b987d4c0fe9eaee407af9897893ad1368b1f2c8edbeec1bb36dd61709e8cafc6736f12a562ff5dd

  • SSDEEP

    24576:z4nxVWjypb0lNU0ayYuu8LyLMIqiKkkhHGGJpVhQKOgoKgX+N1yPNZjSs4fy6uib:+8XlxhvLJp/+nlFZjSzXExessnkLY7N

  Score

  10^/10

  darkcomet2012discoverypersistenceprivilege_escalationrattrojan

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Modifies WinLogon for persistence

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies system executable filetype association

    persistence

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2