General
-
Target
JaffaCakes118_1a43b5623de08e39332adfd34acd6bf8
-
Size
820KB
-
Sample
250222-rxl12azkew
-
MD5
1a43b5623de08e39332adfd34acd6bf8
-
SHA1
d2e6f34432e9cb3b6585f07d49d7327b77b4afb7
-
SHA256
e81cf832df3588aa9a5faf1bd5a1bafd86aae8df3cd3cbfa476fb94841ac4ff5
-
SHA512
0570d4deaaa4c883de2ef7c5f25da45806c6a29ceef7d207bfef1d275c832dbe75d26fdd14ea1ba186d0e6f4df5e99469fbe2b846e2e630fd5b0ac37e8001d89
-
SSDEEP
12288:yBFs67YDISdzHHpXtWAAqnGhnqK2Vvw9U/4UO4LPdZ/MNvfv5bd859sM25wi:A7YTHHpVV4CQ4L19IfITsn
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1a43b5623de08e39332adfd34acd6bf8.exe
Resource
win7-20240903-en
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-F54S21D
-
InstallPath
Windupdt\winupdate.exe
-
gencode
Xsy4ad-WZs1u
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
winupdater
Targets
-
-
Target
JaffaCakes118_1a43b5623de08e39332adfd34acd6bf8
-
Size
820KB
-
MD5
1a43b5623de08e39332adfd34acd6bf8
-
SHA1
d2e6f34432e9cb3b6585f07d49d7327b77b4afb7
-
SHA256
e81cf832df3588aa9a5faf1bd5a1bafd86aae8df3cd3cbfa476fb94841ac4ff5
-
SHA512
0570d4deaaa4c883de2ef7c5f25da45806c6a29ceef7d207bfef1d275c832dbe75d26fdd14ea1ba186d0e6f4df5e99469fbe2b846e2e630fd5b0ac37e8001d89
-
SSDEEP
12288:yBFs67YDISdzHHpXtWAAqnGhnqK2Vvw9U/4UO4LPdZ/MNvfv5bd859sM25wi:A7YTHHpVV4CQ4L19IfITsn
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1