Extracted

• • Target

    JaffaCakes118_8d906b9ed7ab800c234db4f13fb173ec

  • Size

    479KB

  • MD5

    8d906b9ed7ab800c234db4f13fb173ec

  • SHA1

    23114352fa03b7765c7528dea58d39a580c0b5e2

  • SHA256

    5c2b4e2807ae47b64c730470b31b356e9ec7d5076cf2a273582ef65d05659221

  • SHA512

    4852ac66adecf6e66841b95556508bf2ec544ff78bd68ddc9f8d01cf10e39060cb455aeeb493d7955ec81c9134271f22b43ee50f880959c2acaeccdf7c7a3f34

  • SSDEEP

    12288:wYU38tWvCBk0+d4Ouz90NWkja7ZRawg1qj136pS8rtft6FJDMI:vgd4OLkk+f+qF6o8hft6Fd

  Score

  10^/10

  darkcometsalitybackdoordefense_evasiondiscoverypersistencerattrojanupx

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    defense_evasion

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • Sality family

    sality

  • UAC bypass

    defense_evasiontrojan

  • Windows security bypass

    defense_evasiontrojan

  • Disables Task Manager via registry modification

    defense_evasion

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    defense_evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2