Extracted

• • Target

    JaffaCakes118_82cb757cbb5131d04a810cd570ae057e

  • Size

    666KB

  • MD5

    82cb757cbb5131d04a810cd570ae057e

  • SHA1

    8e8a66a384c0110e611d752c06d915232b2ecdbc

  • SHA256

    28c06bd09e2acd56379d16fa8d66ace55ac7dffdc790e5b6d927fb268e849a3e

  • SHA512

    bf9acee20ce0671d931d28bee7a613d8e8c7c6ade54adfaf97ab52d37dd8123c452a5395f3281b33ccbfe7505da1de5b2508e6f479a019619f65cfd5d3044217

  • SSDEEP

    12288:ZpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/61:LwAcu99lPzvxP+Bsz2XjWTRMQckkIXn2

  Score

  10^/10

  darkcometdiscoverypersistencerattrojan

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • Modifies WinLogon for persistence

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2