Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Hack X1000 1.1.bin.zip

  • Size

    340KB

  • Sample

    231005-zwgc6ahd25

  • MD5

    90299a8aa34ac24c015a395bb86f1383

  • SHA1

    e0d45088e262ca821df70955fda9ea56dfc90ae7

  • SHA256

    a9a7e4f65b15cbb5e6276488508e1c5d7c63590e2c73a584a413476fc8848d36

  • SHA512

    061e3098eae56572244861a5fe7e400c5e248470117bd782afbb5e62030ea415d7c62016caa8f8e4a257190b6a78f639ec8c0ba8db033034cf22d99382c43e71

  • SSDEEP

    6144:eNPXAt9IhJxRE7Hyg7joJ9lHLaPECfKOEfuLfnFcCsh/GYaRTya7S+yoVx0DD2:eNYt+hJxSrygYJqyOhfu5h/GlTySS+3R

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.1.8:4444

Mutex

DC_MUTEX-26BR6RC

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    njZx3Bkpuz6x

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      Hack X1000 1.1.bin

    • Size

      756KB

    • MD5

      74b69971031e3ed8edac827863f464cb

    • SHA1

      97f44a38f292cad03e716857b113a4cb60bc199e

    • SHA256

      5ff3a8d4425ada0f861da4b8177348506e0ba8870dd72ebdb5f58699f6eb69f9

    • SHA512

      0002a9c817da27df65c242627d64a987dfa5f8a55e7fec55754d0678bf37e1dbb9628691b11195a1378f39eba69e0940215ea6a883a964ca42a905e8d75d206c

    • SSDEEP

      12288:V9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hu:fZ1xuVVjfFoynPaVBUR8f+kN10EBk

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies security service

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks