Extracted

Extracted

• • Target

    JaffaCakes118_58ef8399e896e60b181961292fb6d666

  • Size

    1.2MB

  • MD5

    58ef8399e896e60b181961292fb6d666

  • SHA1

    d5b651f75234877814d8efabb6256fbc23c662ed

  • SHA256

    6deff5735317a9b7addf8d9f8d3aeca1de68364e63b69037b2c916bcaee44003

  • SHA512

    b9c4059148ff6ff96b376b69450a5234b4de8684ef41173601c24140da62a2b623f4117f5f483be478c9542be676cd705511d9540689b247cd44215b8c2f7b37

  • SSDEEP

    24576:D6t9iwCQliK/JJDORRrQl9uM1aIcLkNC2brX5qXI8PP:Wt9iwJTDOPsrNcwNbwxP

  Score

  10^/10

  blackshadesdarkcomethawkeyeenzcrashcredential_accessdefense_evasiondiscoverykeyloggerpersistenceratspywarestealertrojanupxprivilege_escalation

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

    ratblackshades

  • Blackshades family

    blackshades

  • Blackshades payload

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye

  • Hawkeye family

    hawkeye

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    defense_evasion

  • Modifies security service

    defense_evasion

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Windows security bypass

    defense_evasiontrojan

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Disables RegEdit via registry modification

    defense_evasion

  • Disables Task Manager via registry modification

    defense_evasion

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Modifies RDP port number used by Windows

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Impair Defenses: Safe Mode Boot

    defense_evasion

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads local data of messenger clients

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Windows security modification

    defense_evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2