Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16/07/2024, 10:40

General

  • Target

    4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    4df4bc013741f7da95435c1c30cd2fc5

  • SHA1

    8a98e07431b9997734e67537cb3ebc257759c8f1

  • SHA256

    9306d0e0b32e1d6d5676704ca163f09f7660987d1dfdd4e74e46271bc2af1b87

  • SHA512

    fde7d1d7c30257db06e6ee5d3b94531a9cb594016df5290cc33565434096fd3db567ec2e9cf04e820aafffc8f9d93f592b4b19a1a8cee1649409f9d9da3a0134

  • SSDEEP

    12288:XOhIFzU/bZ4ziPnVG8UmWa6eZNoCrVhSQr8Qoa+/MHLcwe4qoNTUsBGulHHYp1yh:XOhiwOiPVnVvHxr3DHFeMFhHiG

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 3 TTPs 6 IoCs
  • Modifies security service 2 TTPs 2 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\4df4bc013741f7da95435c1c30cd2fc5_JaffaCakes118.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • Adds Run key to start application
        PID:2680
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3028
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          4⤵
          • Modifies firewall policy service
          • Modifies security service
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Checks BIOS information in registry
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2032
          • C:\Windows\SysWOW64\notepad.exe
            C:\Windows\SysWOW64\notepad.exe
            5⤵
              PID:2108
        • C:\Users\Admin\AppData\Roaming\WindowsUpdate\WindowsUpdate.exe
          "C:\Users\Admin\AppData\Roaming\WindowsUpdate\WindowsUpdate.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          PID:2736
          • C:\Users\Admin\AppData\Roaming\WindowsUpdate\WindowsUpdate.exe
            C:\Users\Admin\AppData\Roaming\WindowsUpdate\WindowsUpdate.exe
            4⤵
            • Modifies firewall policy service
            • Modifies security service
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:2252

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\WindowsUpdate\WindowsUpdate.exe

      Filesize

      1.1MB

      MD5

      4df4bc013741f7da95435c1c30cd2fc5

      SHA1

      8a98e07431b9997734e67537cb3ebc257759c8f1

      SHA256

      9306d0e0b32e1d6d5676704ca163f09f7660987d1dfdd4e74e46271bc2af1b87

      SHA512

      fde7d1d7c30257db06e6ee5d3b94531a9cb594016df5290cc33565434096fd3db567ec2e9cf04e820aafffc8f9d93f592b4b19a1a8cee1649409f9d9da3a0134

    • memory/2032-51-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/2032-50-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/2680-8-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

    • memory/2680-35-0x0000000000030000-0x0000000000031000-memory.dmp

      Filesize

      4KB

    • memory/2776-5-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/2776-6-0x0000000000290000-0x0000000000291000-memory.dmp

      Filesize

      4KB

    • memory/2776-2-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/2776-4-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/2776-3-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/2776-95-0x0000000013140000-0x00000000131F7000-memory.dmp

      Filesize

      732KB

    • memory/3028-40-0x0000000000400000-0x000000000051B000-memory.dmp

      Filesize

      1.1MB

    • memory/3028-43-0x0000000000400000-0x000000000051B000-memory.dmp

      Filesize

      1.1MB

    • memory/3028-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/3028-49-0x0000000000400000-0x000000000051B000-memory.dmp

      Filesize

      1.1MB