General
-
Target
JaffaCakes118_57e1ec280fffc09227da1814d4ff8879
-
Size
809KB
-
Sample
250306-29eslazrt9
-
MD5
57e1ec280fffc09227da1814d4ff8879
-
SHA1
fb3b6c14e5d5f6a6b9e4a690e905878ad70e0d8a
-
SHA256
d275b70db1bb24fd9a021648438ef24c1abab9c53623d2dd7cb2875e5d74b9b4
-
SHA512
3d63b20f1f5fd98e41a1c780dbe6f567196c98878d333db44ab863e50557671dafe3a781dd5471d417f91aff041dcce1d7dfc63fd74a8144263553da8ca76b1c
-
SSDEEP
12288:F499HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h9:FuZ1xuVVjfFoynPaVBUR8f+kN10EBT
Behavioral task
behavioral1
Sample
JaffaCakes118_57e1ec280fffc09227da1814d4ff8879.exe
Resource
win7-20240903-en
Malware Config
Extracted
darkcomet
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-C17PMA7
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
UU4nMHM6fs0L
-
install
true
-
offline_keylogger
true
-
password
1234
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
JaffaCakes118_57e1ec280fffc09227da1814d4ff8879
-
Size
809KB
-
MD5
57e1ec280fffc09227da1814d4ff8879
-
SHA1
fb3b6c14e5d5f6a6b9e4a690e905878ad70e0d8a
-
SHA256
d275b70db1bb24fd9a021648438ef24c1abab9c53623d2dd7cb2875e5d74b9b4
-
SHA512
3d63b20f1f5fd98e41a1c780dbe6f567196c98878d333db44ab863e50557671dafe3a781dd5471d417f91aff041dcce1d7dfc63fd74a8144263553da8ca76b1c
-
SSDEEP
12288:F499HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h9:FuZ1xuVVjfFoynPaVBUR8f+kN10EBT
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1