General
-
Target
1eb4f6368114de35712e3877a11244a1_JaffaCakes118
-
Size
297KB
-
Sample
240702-ktx6kavelc
-
MD5
1eb4f6368114de35712e3877a11244a1
-
SHA1
fd3b3d3c5b2e0f4a581d816779be8a39de77c41a
-
SHA256
07369156178ba6f590d73e7bf4b65e905a982fc5e71cb4c58d2f3ca4f75e4748
-
SHA512
be8b84d63f44201e36b9a61e660adb7cdede8a8be57c8e44896aa69707d16fbfe36b82f8730232fecce75b27fdf5ddcfe5723a4b7c57a49d3f096e0ba08fb7cd
-
SSDEEP
6144:cympJy59MG872XFaVTvo09tRN6uLWidOEtO2Asc7o9zzKMDVQ1:FOPGYc2U0XRN6gWh8O2h/9zzKMDVQ1
Static task
static1
Behavioral task
behavioral1
Sample
1eb4f6368114de35712e3877a11244a1_JaffaCakes118.exe
Resource
win7-20240221-en
Malware Config
Extracted
darkcomet
Gagze
abdodo.no-ip.org:100
DC_MUTEX-V6608W1
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
G31Xw9jA2Vip
-
install
true
-
offline_keylogger
true
-
password
123456789
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
1eb4f6368114de35712e3877a11244a1_JaffaCakes118
-
Size
297KB
-
MD5
1eb4f6368114de35712e3877a11244a1
-
SHA1
fd3b3d3c5b2e0f4a581d816779be8a39de77c41a
-
SHA256
07369156178ba6f590d73e7bf4b65e905a982fc5e71cb4c58d2f3ca4f75e4748
-
SHA512
be8b84d63f44201e36b9a61e660adb7cdede8a8be57c8e44896aa69707d16fbfe36b82f8730232fecce75b27fdf5ddcfe5723a4b7c57a49d3f096e0ba08fb7cd
-
SSDEEP
6144:cympJy59MG872XFaVTvo09tRN6uLWidOEtO2Asc7o9zzKMDVQ1:FOPGYc2U0XRN6gWh8O2h/9zzKMDVQ1
-
Modifies WinLogon for persistence
-
Modifies security service
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1