Extracted

Extracted

• • Target

    JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0

  • Size

    353KB

  • MD5

    0e01525d20d82472d8f4f4baeceea7c0

  • SHA1

    735ff695990bfc7a4b926297bb2c925da5d77da7

  • SHA256

    b5880746d859edbfc53d9118d7ce6bad58c20e9f67270b1ffcfa4cfc177cb655

  • SHA512

    65b350c6c28b66aad48f2427032d9b1df2926b50d8dc6868d4135dea49a26fc02d321b560b663198a856129e4a1893850e5c73b5cd7b3a95330137cb100868c0

  • SSDEEP

    6144:2JD6KarVGMX0mNsVvpyTpZY63vwPOj4LOAhz6tUIBwWcOUl2jXQcXForOM/m1n6:uDGRsuspipaSSW4zhSBwWcODsc1aOM/Y

  Score

  10^/10

  darkcometokshadefense_evasiondiscoverypersistencerattrojanupx

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    defense_evasion

  • Modifies security service

    defense_evasion

  • Windows security bypass

    defense_evasiontrojan

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    defense_evasiontrojan

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2