General
-
Target
16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118
-
Size
300KB
-
Sample
240627-t5kjaasdml
-
MD5
16b8315c6de1994bdcbc0faf574a162b
-
SHA1
38c2018b835dcc8dd6e6c156f7619c8e0acc493d
-
SHA256
018556978f8a8e862bb57db11a55e0be62b424db127b66cd77451fe970b30ee0
-
SHA512
85f5c29486979cb3480fbfa9ab302a29463b060b12dc3aa95785037cfdc2b7f917492f8a1f3a7043d80ef09dca38b908b0f4423907f31148b8c554323fdca4f2
-
SSDEEP
6144:63EriZWNoVdGEu3j1LdH+gYOFtDD02M14rqM:8EWdGn3jzH+ca5M
Static task
static1
Behavioral task
behavioral1
Sample
16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118.exe
Resource
win7-20240611-en
Malware Config
Extracted
darkcomet
User
97.81.46.17:1604
socksproxy1.serveftp.com:1604
DC_MUTEX-R0MQYLT
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
SkFtw2Fer8G2
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118
-
Size
300KB
-
MD5
16b8315c6de1994bdcbc0faf574a162b
-
SHA1
38c2018b835dcc8dd6e6c156f7619c8e0acc493d
-
SHA256
018556978f8a8e862bb57db11a55e0be62b424db127b66cd77451fe970b30ee0
-
SHA512
85f5c29486979cb3480fbfa9ab302a29463b060b12dc3aa95785037cfdc2b7f917492f8a1f3a7043d80ef09dca38b908b0f4423907f31148b8c554323fdca4f2
-
SSDEEP
6144:63EriZWNoVdGEu3j1LdH+gYOFtDD02M14rqM:8EWdGn3jzH+ca5M
-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1