Extracted

Extracted

• • Target

    JaffaCakes118_b972533e1d6e20b55a10bc2f11bd1c8d

  • Size

    728KB

  • MD5

    b972533e1d6e20b55a10bc2f11bd1c8d

  • SHA1

    37145911c18b6f65e6879771c2caaf7772081378

  • SHA256

    30c0b480c6ea96f1c4964f4b228b9f9e05bdb93f552a63d8d4c78412ae1a2700

  • SHA512

    966ec64ea77d103a1d561bd0eb0ce20399f164c8d95364b6e6544a45498a2b3fb56150a33175c2dad52252e57f3fc69746ee649770e392a2bca705eb4d76d60e

  • SSDEEP

    12288:tK2IV1diFZ08/H0jPB1BCv/o7F0lYWdsDdILCfqjZA+Hdpix94AiYJpIoFsZyGW:t0VTG5/He/BCnEeYlDdIL2qNA+biP4He

  Score

  10^/10

  darkcometlatentbotguest16defense_evasiondiscoverypersistencerattrojan

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Darkcomet family

    darkcomet

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot

  • Latentbot family

    latentbot

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    defense_evasion

  • Modifies security service

    defense_evasion

  • Windows security bypass

    defense_evasiontrojan

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Windows security modification

    defense_evasiontrojan

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1