General
-
Target
JaffaCakes118_1c4cf79556b2e7277ebbac5d299e2ef7
-
Size
1.0MB
-
Sample
250222-z2p79azkgq
-
MD5
1c4cf79556b2e7277ebbac5d299e2ef7
-
SHA1
4c6d7d10fe9f0742fa8f33a283b65b12e43a353a
-
SHA256
382cb6ee7c42d0792d49f6c5b11b65ab7c88b394ede77f1f19bb70a755e78032
-
SHA512
82cda393aee536f75f1c5e9865edf015157f733a747a07b11c5af38e19d35b893d68113726e68354f075e1bc8f0c59a4ad8ad10a775a201360a2de1da313f72f
-
SSDEEP
12288:T6J0CUopUcISxxFQAY7WFRhpxkyRkszl30NXz4dEajUvHgM0jER364q2yGaHV6Mr:TY0SVzRASNMsfVn/n3nCZhrG
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1c4cf79556b2e7277ebbac5d299e2ef7.exe
Resource
win7-20241023-en
Malware Config
Extracted
darkcomet
Guest16
waynezor.no-ip.info:101
DC_MUTEX-ASPL96Y
-
InstallPath
Program Files\Windows\Update.exe
-
gencode
sl/c%xP#Q-j�
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winupdater
Extracted
darkcomet
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Targets
-
-
Target
JaffaCakes118_1c4cf79556b2e7277ebbac5d299e2ef7
-
Size
1.0MB
-
MD5
1c4cf79556b2e7277ebbac5d299e2ef7
-
SHA1
4c6d7d10fe9f0742fa8f33a283b65b12e43a353a
-
SHA256
382cb6ee7c42d0792d49f6c5b11b65ab7c88b394ede77f1f19bb70a755e78032
-
SHA512
82cda393aee536f75f1c5e9865edf015157f733a747a07b11c5af38e19d35b893d68113726e68354f075e1bc8f0c59a4ad8ad10a775a201360a2de1da313f72f
-
SSDEEP
12288:T6J0CUopUcISxxFQAY7WFRhpxkyRkszl30NXz4dEajUvHgM0jER364q2yGaHV6Mr:TY0SVzRASNMsfVn/n3nCZhrG
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1