Extracted

• • Target

    JaffaCakes118_3a557d150e6b48343d2f15279339f32e

  • Size

    702KB

  • MD5

    3a557d150e6b48343d2f15279339f32e

  • SHA1

    a176f5e4f5a40947a499b39e71de8e65d0299021

  • SHA256

    94142545a37248ce7c7770d447e17b0e002d395210a1e9845926c5c00dd0cf16

  • SHA512

    444c7139f2a198e83e5747bfaed84377183538e963c1b1bcb78ac006fe0dbbb622b23fe95f3ec39b5147304e2f3c95c64a8d47cc564604ad32af10510f5c6c74

  • SSDEEP

    12288:jZx6Nt8TyctWdD9jxwyck32hg0fElpAvVT+74cIFOo/yO3gjn0qaWjOzvkzlvCIS:Ipj2cCRSBC7LvzR

  Score

  10^/10

  discoveryupxdarkcometguest16defense_evasionpersistencerattrojan

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Modifies WinLogon for persistence

    persistence

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2