Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 04:03

General

  • Target

    ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe

  • Size

    880KB

  • MD5

    ba480da41b6ec6f00fc0d7caf9f11cb3

  • SHA1

    f924f6baa35057ea88154faed0213c154eadcfa0

  • SHA256

    47256456d9897ef71eb4a944fbde08aa388aabb85645b5b79ba6dc0c9a106124

  • SHA512

    adfa3b2c264d1bcfa82e2d94187a073905cfe55aa08690a1d9e79d9a6a8bc7fe523e49d8bcbd43beec5ab62e26c558e57e7ff72e46d1aa5973fd77d5a39a0b9f

  • SSDEEP

    24576:9+6LCb7OdjFbdRGe9PiuImyEaNCXhgtNz5WhCdSjD4kbQsbq7480/uSUsQ6F:9pnCe9qIeNCqfb4j1bT

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ba480da41b6ec6f00fc0d7caf9f11cb3_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Users\Admin\AppData\Local\Temp\crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\crypted.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Users\Admin\AppData\Local\Temp\crypted.exe
        "C:\Users\Admin\AppData\Local\Temp\crypted.exe"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:11744
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Instructions.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Instructions.txt

    Filesize

    360B

    MD5

    036d4adeb724a007fb00011734b5a3e2

    SHA1

    1d0f70d7b442bee1741702394dcc917cb13c9064

    SHA256

    e1a0dcf6046381884d91d8e70b48b76548520f2f3fb87391d14b6af0d9609036

    SHA512

    5d02f692e8ff7927498ef750091da86ae2b85b4f73f7ee29721207b1fb4055c0b47f38333dc0e2eaf7b0bca6a50f0291d68826637d4b7d467965c19866979d2f

  • C:\Users\Admin\AppData\Local\Temp\crypted.exe

    Filesize

    645KB

    MD5

    d2612794fd2d21874ffb92b2bfef2407

    SHA1

    a74255beeb2a61ef598dd10fd50f8e1ba25a574b

    SHA256

    6eb607fa53c977d8fbd3ad8578f574dad83bebd5daf865a04df0a8afb9daee33

    SHA512

    e0c594217064ac12cc6e780aa4e0b171103d974fbb59113ad9f7763601e24c7f8a91a607dc43179b5e28bab27bf47ee7c16598b1f9569620fc6ef0f83f7accfd

  • memory/1968-29-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-33-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-13-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-71-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-15-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-17-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-19-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-27-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-73-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-75-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-31-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-35-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-37-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-65-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-67-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/1968-69-0x0000000000340000-0x00000000003E2000-memory.dmp

    Filesize

    648KB

  • memory/2900-10-0x000007FEF5DB0000-0x000007FEF674D000-memory.dmp

    Filesize

    9.6MB

  • memory/2900-0-0x000007FEF606E000-0x000007FEF606F000-memory.dmp

    Filesize

    4KB

  • memory/2900-3-0x000007FEF5DB0000-0x000007FEF674D000-memory.dmp

    Filesize

    9.6MB