Extracted

Extracted

• • Target

    JaffaCakes118_49a345d4194d28036d1430645f7519e7

  • Size

    1.2MB

  • MD5

    49a345d4194d28036d1430645f7519e7

  • SHA1

    bf964e926b74e3f1216ed54f69f9a7b55a9ab464

  • SHA256

    904e180b5468b3c91feee425e0ebcd68b33b81ffef5ad3130aa3ab0f388d4994

  • SHA512

    f83e9d1531c278910a72c9c67b9b08add1d9f20102e5dc87d233121499173e8dbc63ba182dc30587fb9c025cbb7888c2bf9c66792e64e5662dc6c05dfefb2767

  • SSDEEP

    24576:QFE//Tct4bOsa1Kmk9FfceaKYaNUFAcdm12F2D024J8i6Lzsb40pfsAXu/:ySVFmk9Ffc7g+6B12O0LJ8BLzsb1pk//

  Score

  10^/10

  darkcometguest16defense_evasiondiscoverypersistencerattrojanupx

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Modifies WinLogon for persistence

    persistence

  • Modifies security service

    defense_evasion

  • Windows security bypass

    defense_evasiontrojan

  • Disables RegEdit via registry modification

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    defense_evasiontrojan

  • Adds Run key to start application

    persistence

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2