Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 03:21

General

  • Target

    ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe

  • Size

    594KB

  • MD5

    ecbe2788da186fb254c618b21d446303

  • SHA1

    0e261dd24f00ad297e93086d9cf1326933137997

  • SHA256

    2450d1e8bea7cb4606191aa62c208974ab98f7ac3dcefa6a3b09286818a1168d

  • SHA512

    93041cb0cf554684a197af525caba96da02f0b45b2d3aa23e140e6ca9c15bb9c4b7f3001fd0f3410a9d2ffacecb47027f742fb10982f87b180462c60cb723bf9

  • SSDEEP

    12288:jK2mhAMJ/cPl+RhW13QPKP21+UDgni/O6AcEeC1d5MytGkNErbYy43AS+HGW+w5l:G2O/Gl+zSQPKP21dD+R6AcEeC1dxzNED

Malware Config

Extracted

Family

darkcomet

Botnet

Trillian

C2

essstzttztz.zapto.org:1612

Mutex

DC_MUTEX-1KBKQVH

Attributes
  • gencode

    nrKvEnTT3cgT

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

latentbot

C2

essstzttztz.zapto.org

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ecbe2788da186fb254c618b21d446303_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Local\Temp\uus.exe
      "C:\Users\Admin\AppData\Local\Temp\uus.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\maqui.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run" /v taskmgbj.exe /d "C:\Users\Admin\AppData\Local\Temp\taskmgbj.exe A" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2912
      • C:\Windows\SysWOW64\cmdl32.exe
        "C:\Windows\system32\cmdl32.exe "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2644
      • C:\Windows\SysWOW64\cmdl32.exe
        "C:\Windows\system32\cmdl32.exe "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2960
    • C:\Users\Admin\AppData\Local\Temp\tinychat.exe
      "C:\Users\Admin\AppData\Local\Temp\tinychat.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\maqui.bat

    Filesize

    150B

    MD5

    91f95ff4f3b92893ee4ea67a533da526

    SHA1

    2b17c54f07df8f803446032dbdf70f8384158f78

    SHA256

    167ea6d50160180eafeb164fe6d8fdadc90e22dafa655c99e561acd486fec11a

    SHA512

    73fbf0ddda81fdc8f699e75d0d2e7c9f3584d555273f5cf0625d95af55aaf94f3ff62f611cd16b0bbcccd89c31c11126345f7dc01b65edd51756e88dcbd0de99

  • C:\Users\Admin\AppData\Local\Temp\uus.exe

    Filesize

    312KB

    MD5

    75e8479191225e9543a43f6366cd73fd

    SHA1

    c591454985172f83b221e4e1ec0fdc60c4fc93c2

    SHA256

    4b0fca92cd6e7828dc80494062b7965bfb8dad5e77ee4ae84a8ffec1b4d9eed1

    SHA512

    6654ff9393f73bfbe2a7b4feb8eeb2b7dd801c580c1682f46f200bb19a91df75276d776c7475d603f782f6e5078317ff87542518c4d7dd62a63596a80b71b0bd

  • \Users\Admin\AppData\Local\Temp\tinychat.EXE

    Filesize

    52KB

    MD5

    32254a9009a89147f5cfbd03ba2cee84

    SHA1

    578439fa4e02a795e44945bb2cb1edd1cb9245ab

    SHA256

    07ff1f83289f3ad2d7a19d734cb9137517ee7e2cd52160a0f7d599e2ca590e88

    SHA512

    182c62bd60ac437c4bf8781f74eb49e29312382f066d6acda72db90c91a0c996716c018522db5d3c516463286e8e3dee1f8c8c2d6b621ecf6f55152dd8ee0904

  • memory/1576-23-0x0000000001FF0000-0x0000000002016000-memory.dmp

    Filesize

    152KB

  • memory/1576-35-0x0000000001FF0000-0x0000000002016000-memory.dmp

    Filesize

    152KB

  • memory/1576-33-0x0000000001FF0000-0x0000000002016000-memory.dmp

    Filesize

    152KB

  • memory/1872-86-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/1872-39-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2008-95-0x0000000000090000-0x0000000000190000-memory.dmp

    Filesize

    1024KB

  • memory/2008-105-0x0000000000090000-0x0000000000190000-memory.dmp

    Filesize

    1024KB

  • memory/2008-110-0x0000000000090000-0x0000000000190000-memory.dmp

    Filesize

    1024KB

  • memory/2008-96-0x0000000000090000-0x0000000000190000-memory.dmp

    Filesize

    1024KB

  • memory/2644-72-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2644-78-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2644-79-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2644-80-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2644-81-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2644-77-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2644-67-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2644-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2644-76-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2644-58-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB