General
-
Target
JaffaCakes118_8f98f16ccc8f9c9c7a7553c44c8a0832
-
Size
746KB
-
Sample
250329-wjk9sstxgw
-
MD5
8f98f16ccc8f9c9c7a7553c44c8a0832
-
SHA1
70a32814dd58fd8ed0ad1eeb725757d2e0444c6b
-
SHA256
d861afcb864c0f7366976c6eb1894c5dbb4be8001c1239de56aa8d3d30444451
-
SHA512
54e9f62ede10cb1532942615fb12194bcc02743345595e93acfccc04c6177d52f490b2fadb2580df137ef23bbd3cae9cf275a06772014189723ba8dd50496b18
-
SSDEEP
12288:C6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfh:nAmBpVKHu0Mu9Xo20VGLVP5
Behavioral task
behavioral1
Sample
JaffaCakes118_8f98f16ccc8f9c9c7a7553c44c8a0832.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8f98f16ccc8f9c9c7a7553c44c8a0832.exe
Resource
win10v2004-20250314-en
Malware Config
Extracted
darkcomet
Ynnah
Ynnah.no-ip.info:3085
DC_MUTEX-M6EK9E8
-
InstallPath
Windupdt\winupdate.exe
-
gencode
.V*$TgrzBQ3N
-
install
true
-
offline_keylogger
true
-
password
8101993
-
persistence
true
-
reg_key
Windows_KB7
Targets
-
-
Target
JaffaCakes118_8f98f16ccc8f9c9c7a7553c44c8a0832
-
Size
746KB
-
MD5
8f98f16ccc8f9c9c7a7553c44c8a0832
-
SHA1
70a32814dd58fd8ed0ad1eeb725757d2e0444c6b
-
SHA256
d861afcb864c0f7366976c6eb1894c5dbb4be8001c1239de56aa8d3d30444451
-
SHA512
54e9f62ede10cb1532942615fb12194bcc02743345595e93acfccc04c6177d52f490b2fadb2580df137ef23bbd3cae9cf275a06772014189723ba8dd50496b18
-
SSDEEP
12288:C6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfh:nAmBpVKHu0Mu9Xo20VGLVP5
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2