General
-
Target
21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118
-
Size
281KB
-
Sample
240703-k3c7rawaqb
-
MD5
21ce0bf3df358c7a3d87034d4cba8a73
-
SHA1
d3cf383529b827668a581a517bab63fd1f5064f6
-
SHA256
fc2e03dee1a62f0c7b6e84354a3bb187588f78048d4aad87a01cb967f9df3844
-
SHA512
b9a1aefc6961cdc4eeebf17d6fa0c4ddff36da64a9dbdab6a419c72b3a822fb1beb20d35db2a676a709b69ab6b2edb5af9044ef72032aea11bfc6df99b33a61a
-
SSDEEP
6144:2PFhbjbYGBWA72gTXbbqidowX3CJkwWXejkJEwwRlu:KXfbhocLb9owX3CJ3cejkuwG
Static task
static1
Behavioral task
behavioral1
Sample
21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
darkcomet
Guest16
www2q.hopto.org:1604
DC_MUTEX-PTGB02B
-
InstallPath
Up\Update.exe
-
gencode
fFbst8hvUYyb
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Extracted
darkcomet
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Targets
-
-
Target
21ce0bf3df358c7a3d87034d4cba8a73_JaffaCakes118
-
Size
281KB
-
MD5
21ce0bf3df358c7a3d87034d4cba8a73
-
SHA1
d3cf383529b827668a581a517bab63fd1f5064f6
-
SHA256
fc2e03dee1a62f0c7b6e84354a3bb187588f78048d4aad87a01cb967f9df3844
-
SHA512
b9a1aefc6961cdc4eeebf17d6fa0c4ddff36da64a9dbdab6a419c72b3a822fb1beb20d35db2a676a709b69ab6b2edb5af9044ef72032aea11bfc6df99b33a61a
-
SSDEEP
6144:2PFhbjbYGBWA72gTXbbqidowX3CJkwWXejkJEwwRlu:KXfbhocLb9owX3CJ3cejkuwG
Score10/10-
Modifies WinLogon for persistence
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-