Extracted

Extracted

• • Target

    JaffaCakes118_e706a7d486d344c3d0ecb49164b5ec1c

  • Size

    876KB

  • MD5

    e706a7d486d344c3d0ecb49164b5ec1c

  • SHA1

    382e1e23810aed3f3b6439e1b37702b9bef9aa41

  • SHA256

    8885ab01d97a8f6f1a7ea70021a1594482cde9f89a9cbcffdf7e941c3159d5b4

  • SHA512

    64ab059a84fb1fade395cbae3c46cda191ab173f857817e5140656f4162071ef4a5b1ce74955f38d2068837d27b47c423c7f72762462730c4083e115eac85b40

  • SSDEEP

    24576:nUD3WVqWznA1ICUKy2t0ZeOZ73oGO/bDZE1tcsO:2mMWznA1GKy2mkOZ74p//ZETO

  Score

  10^/10

  darkcometguest16discoverypersistencerattrojanupx

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Modifies WinLogon for persistence

    persistence

  • Downloads MZ/PE file

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2