Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

67abc4d851...18.exe

windows7-x64

10

67abc4d851...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 12:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe

  • Size

    653KB

  • MD5

    67abc4d8511bef88b5cd7b5884951bf5

  • SHA1

    1e6e8907e291bb71e3d2d1b5050be3a60d39f646

  • SHA256

    71e9c343e1350db04d97d960f91163ea0d8c33d8149ab6225b0e018e8c161181

  • SHA512

    bdd62c7d12dad525a874c689a4f46c7ff068eb2b96620a6945b87ca6e66db54f21652c26ca10eae286f048accf634f1af85aff2439fd4985f596f3108bcd8b7a

  • SSDEEP

    12288:I5MlYxLWIpdgFFyIJjr2I9hPUkxuJzRUL9pYe2Xduxni+Tj:Ia4WLbJH2Wdx0JzRULjn2aT

Score
10/10
darkcometlatentbotoutboundpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Outbound

C2

darkcometsa.zapto.org:1604

Mutex

DC_MUTEX-DTNGSWK

Attributes
  • gencode

    83vLgsEx21jQ

  • install

    false

  • offline_keylogger

    true

  • password

    mikeyj4711

  • persistence

    false

Extracted

Family

latentbot

C2

darkcometsa.zapto.org

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\67abc4d8511bef88b5cd7b5884951bf5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\caca.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\caca2.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\caca2.bat" "
          4⤵
            PID:1688
      • C:\Windows\Temp\svhost.exe
        C:\Windows\Temp\svhost.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2904
      • C:\Windows\Temp\svhost.exe
        C:\Windows\Temp\svhost.exe
        2⤵
        • Executes dropped EXE
        PID:2724

    Network

    • flag-us
      DNS
      darkcometsa.zapto.org
      svhost.exe
      Remote address:
      8.8.8.8:53
      Request
      darkcometsa.zapto.org
      IN A
      Response
      darkcometsa.zapto.org
      IN A
      94.73.32.235
    • flag-us
      DNS
      darkcometsa.zapto.org
      svhost.exe
      Remote address:
      8.8.8.8:53
      Request
      darkcometsa.zapto.org
      IN A
      Response
      darkcometsa.zapto.org
      IN A
      94.73.32.235
    • flag-us
      DNS
      darkcometsa.zapto.org
      svhost.exe
      Remote address:
      8.8.8.8:53
      Request
      darkcometsa.zapto.org
      IN A
      Response
      darkcometsa.zapto.org
      IN A
      94.73.32.235
    • 94.73.32.235:1604
      darkcometsa.zapto.org
      svhost.exe
      152 B
       3
    • 94.73.32.235:1604
      darkcometsa.zapto.org
      svhost.exe
      152 B
       3
    • 94.73.32.235:1604
      darkcometsa.zapto.org
      svhost.exe
      152 B
       3
    • 94.73.32.235:1604
      darkcometsa.zapto.org
      svhost.exe
      152 B
       3
    • 94.73.32.235:1604
      darkcometsa.zapto.org
      svhost.exe
      152 B
       3
    • 94.73.32.235:1604
      darkcometsa.zapto.org
      svhost.exe
      152 B
       3
    • 94.73.32.235:1604
      darkcometsa.zapto.org
      svhost.exe
      152 B
       3
    • 94.73.32.235:1604
      svhost.exe
    • 8.8.8.8:53
      darkcometsa.zapto.org
      dns
      svhost.exe
      67 B
       83 B
       1
      1

      DNS Request

      darkcometsa.zapto.org

      DNS Response

      94.73.32.235

    • 8.8.8.8:53
      darkcometsa.zapto.org
      dns
      svhost.exe
      67 B
       83 B
       1
      1

      DNS Request

      darkcometsa.zapto.org

      DNS Response

      94.73.32.235

    • 8.8.8.8:53
      darkcometsa.zapto.org
      dns
      svhost.exe
      67 B
       83 B
       1
      1

      DNS Request

      darkcometsa.zapto.org

      DNS Response

      94.73.32.235

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\caca.bat
      Filesize

      47B

      MD5

      58ccb87aa1da4939df403810f1e68b6b

      SHA1

      dc8551f41682e5cb1dd25af3f11a789b1d37b295

      SHA256

      eccc9f27214ff49689c1f597c0d3d3a3e45391064fd0baa9b5e0e03931b7822b

      SHA512

      17ad698f496a445c5cbd0972df9fe966081a3cbee33fb7d7e003890ae946c65687b85b9b16990a872338d00d798b82dee06e86bd2d38b01ad292048134688fd0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\caca2.bat
      Filesize

      52B

      MD5

      e51bad636923af01489010f23eb805f5

      SHA1

      e7b519d49ebcc84896c46035dd799430c0f56d6f

      SHA256

      b8d1ffbf3c846ed148e3bc7c73918626ed89290d03047760420509c177ad9092

      SHA512

      11c32d00bc33c21c8cab64a524f529c24c2aa0c7097c1d937aa9558ba931493f2ae15b78e8f1c7ebedb4396a8bec2e22682c39dfb2ce9419bccec590793ce8eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\invs.vbs
      Filesize

      78B

      MD5

      c578d9653b22800c3eb6b6a51219bbb8

      SHA1

      a97aa251901bbe179a48dbc7a0c1872e163b1f2d

      SHA256

      20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

      SHA512

      3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rundll32-.txt
      Filesize

      653KB

      MD5

      67abc4d8511bef88b5cd7b5884951bf5

      SHA1

      1e6e8907e291bb71e3d2d1b5050be3a60d39f646

      SHA256

      71e9c343e1350db04d97d960f91163ea0d8c33d8149ab6225b0e018e8c161181

      SHA512

      bdd62c7d12dad525a874c689a4f46c7ff068eb2b96620a6945b87ca6e66db54f21652c26ca10eae286f048accf634f1af85aff2439fd4985f596f3108bcd8b7a

      Download Submit

    • \Windows\Temp\svhost.exe
      Filesize

      1.1MB

      MD5

      34aa912defa18c2c129f1e09d75c1d7e

      SHA1

      9c3046324657505a30ecd9b1fdb46c05bde7d470

      SHA256

      6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

      SHA512

      d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

      Download Submit

    • memory/2240-1-0x0000000074CF0000-0x000000007529B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2240-2-0x0000000074CF0000-0x000000007529B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2240-55-0x0000000074CF0000-0x000000007529B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2240-0-0x0000000074CF1000-0x0000000074CF2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2240-53-0x0000000074CF0000-0x000000007529B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2904-36-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2904-42-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2904-22-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2904-40-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2904-41-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2904-39-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2904-43-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2904-24-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2904-38-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2904-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2904-30-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2904-52-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2904-26-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2904-34-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/2904-57-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.