Extracted

• • Target

    JaffaCakes118_eb96880c4199d7db8d42a39b64978983

  • Size

    414KB

  • MD5

    eb96880c4199d7db8d42a39b64978983

  • SHA1

    44973d46007abb46d4c3b59de11230cc65d35451

  • SHA256

    74a2da8d3576ca4a987fa614fac3fd11c46f93b7194c2ab9c323d64b2fed29ae

  • SHA512

    a9009a160cc63720602e3997d94d7c278f2373aff0796ff81312de42a680e4d86f0d3cf4590cde7e46ea09194ddefedc315b3de81ff74549e9a24302599ed884

  • SSDEEP

    6144:WInhFaPHkxxhebwH8CH0HMXHhDMktjZ9hA15/nX9oP9c+UPnG3v/kGa2PPPPPPPN:WSQPo3ei8CXGa9O5/Ic+UU/

  Score

  10^/10

  darkcometvictimsdiscoveryrattrojanupxadwarepersistenceprivilege_escalationstealer

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2