General
-
Target
15b7e0abf99ca0d676029e8b22498209_JaffaCakes118
-
Size
1.2MB
-
Sample
240627-mwxc6axdme
-
MD5
15b7e0abf99ca0d676029e8b22498209
-
SHA1
81ddddb411c2e52c38756d2844b9697655884bb4
-
SHA256
1b42202ece42ad388bfc7130f23945748a26ef286e8478e3f800d7f552fe340f
-
SHA512
025330e1576eb9010f77df11404f984bebcfa7dbef3ec543bc6cfdcbb4c623495b4963c4c7e088dda418eb8b6c734e4b297f69d5668b38598310498b5ad346c4
-
SSDEEP
24576:K9b43KRo7xvu2Ui+mBvqvtEWvRk8Ml6uOdbI:e4ay7xui/wRk9suQE
Static task
static1
Behavioral task
behavioral1
Sample
15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
15b7e0abf99ca0d676029e8b22498209_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
darkcomet
Victim
hackingrats.no-ip.biz:1604
DCMIN_MUTEX-KXAVH1D
-
InstallPath
System32.exe
-
gencode
DERuPJ12yzN9
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Targets
-
-
Target
15b7e0abf99ca0d676029e8b22498209_JaffaCakes118
-
Size
1.2MB
-
MD5
15b7e0abf99ca0d676029e8b22498209
-
SHA1
81ddddb411c2e52c38756d2844b9697655884bb4
-
SHA256
1b42202ece42ad388bfc7130f23945748a26ef286e8478e3f800d7f552fe340f
-
SHA512
025330e1576eb9010f77df11404f984bebcfa7dbef3ec543bc6cfdcbb4c623495b4963c4c7e088dda418eb8b6c734e4b297f69d5668b38598310498b5ad346c4
-
SSDEEP
24576:K9b43KRo7xvu2Ui+mBvqvtEWvRk8Ml6uOdbI:e4ay7xui/wRk9suQE
Score10/10-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-