General
-
Target
JaffaCakes118_564ebd92868b282351b3e1158c8475cd
-
Size
736KB
-
Sample
250306-pc961sxzcw
-
MD5
564ebd92868b282351b3e1158c8475cd
-
SHA1
193a1573a7267c9bcd1d4283b6e67b8a57b96ca9
-
SHA256
0646885bb710e38f6f10befa4810b8034fd88b1b1c5b09158e66759d6c8ebd45
-
SHA512
39e679c2f68df8c16d7a31f284b87788d143f47374d0bb7c8792e9c3d5f84d7413f47eb526f351155fd28cc1fa04b0afca074e3ec0e26ff2d8b447e6587266f1
-
SSDEEP
12288:jpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/Qb:lwAcu99lPzvxP+Bsz2XjWTRMQckkIXnI
Behavioral task
behavioral1
Sample
JaffaCakes118_564ebd92868b282351b3e1158c8475cd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_564ebd92868b282351b3e1158c8475cd.exe
Resource
win10v2004-20250217-en
Malware Config
Extracted
darkcomet
Guest16
aunjabbar.no-ip.biz:82
DC_MUTEX-AQGZW9Q
-
InstallPath
Windupdt\winupdate.exe
-
gencode
tu#TcG0Kp1C2
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
winupdater
Targets
-
-
Target
JaffaCakes118_564ebd92868b282351b3e1158c8475cd
-
Size
736KB
-
MD5
564ebd92868b282351b3e1158c8475cd
-
SHA1
193a1573a7267c9bcd1d4283b6e67b8a57b96ca9
-
SHA256
0646885bb710e38f6f10befa4810b8034fd88b1b1c5b09158e66759d6c8ebd45
-
SHA512
39e679c2f68df8c16d7a31f284b87788d143f47374d0bb7c8792e9c3d5f84d7413f47eb526f351155fd28cc1fa04b0afca074e3ec0e26ff2d8b447e6587266f1
-
SSDEEP
12288:jpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/Qb:lwAcu99lPzvxP+Bsz2XjWTRMQckkIXnI
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Windows security bypass
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1