General
-
Target
JaffaCakes118_50d5a14d2889e23b47e5bc1124319470
-
Size
658KB
-
Sample
250305-gv4g7a1sat
-
MD5
50d5a14d2889e23b47e5bc1124319470
-
SHA1
ff4782f592761b3eff3a43b33032c6a76e4dfdf5
-
SHA256
95d031e7d898c92f065da4fc3064398bde5bbe97826c625bef4e98e591d5188a
-
SHA512
69076c26ef996f47c490528514b5c5537e6197e9ada42431f3af2f5aa233c18b4277c8af6daf5f9031a8801a313f114db44e849543f72be8e7361769829c06d4
-
SSDEEP
12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/he:eZ1xuVVjfFoynPaVBUR8f+kN10EBo
Behavioral task
behavioral1
Sample
JaffaCakes118_50d5a14d2889e23b47e5bc1124319470.exe
Resource
win7-20241010-en
Malware Config
Extracted
darkcomet
Guest16
infohacked.no-ip.org:1604
DC_MUTEX-HKH3CSC
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
bEmAeB0cX62m
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
JaffaCakes118_50d5a14d2889e23b47e5bc1124319470
-
Size
658KB
-
MD5
50d5a14d2889e23b47e5bc1124319470
-
SHA1
ff4782f592761b3eff3a43b33032c6a76e4dfdf5
-
SHA256
95d031e7d898c92f065da4fc3064398bde5bbe97826c625bef4e98e591d5188a
-
SHA512
69076c26ef996f47c490528514b5c5537e6197e9ada42431f3af2f5aa233c18b4277c8af6daf5f9031a8801a313f114db44e849543f72be8e7361769829c06d4
-
SSDEEP
12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/he:eZ1xuVVjfFoynPaVBUR8f+kN10EBo
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1