Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    139b0c8c03fc3bd86b5041ef7f34cfc7_JaffaCakes118

  • Size

    1.0MB

  • Sample

    241004-q457ta1glf

  • MD5

    139b0c8c03fc3bd86b5041ef7f34cfc7

  • SHA1

    7956809db231e32d7766011f69f24fe760a730b8

  • SHA256

    b86d368a102ce764870b2cf2197e48496d91a94e4ab59bc61eecf92d9edba3bf

  • SHA512

    8a3fb1e0981fe6518ad7dc9098dd3c840ce2d5724b9b584e93bd66b337b9a7bd3b7498fd6f10d3f23f94450dc6bc1f4799796b44d867a4b4060e1bec8b20b7a0

  • SSDEEP

    24576:aNlCkb9m3NFzLGe4obPDyPzjChH0rqRlvbyhhgIWH:aNZm3ffSobkjChHUqwxWH

Malware Config

Extracted

Family

darkcomet

Botnet

DarkComet

C2

armedpickler1235.no-ip.biz:200

Mutex

DC_MUTEX-4D3WYFP

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    m7kUMvwZgV2P

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      MW3 Prestige Hack 2012.exe

    • Size

      1.3MB

    • MD5

      a30160656f3d8b9db8eb21310b2e5009

    • SHA1

      ac74646751f8dbc7bcccac8860e759471e2212c7

    • SHA256

      78cd2433efcd65d483ea4f7fc78557998832ff2048eaee73ed7e9f4744ae9510

    • SHA512

      80c81d2048371396629891fb4795f977e6122622b66dbe44f0120e298a1b8a8bf47899a8d35384d8fd21355cc9750751100db8b73c934eb0fc1a98d3f344b24c

    • SSDEEP

      24576:HhqGVu34oC7sgH2O2Vi5mF3jByDk9n3U6nClYtV7qMcJvv66z35vz17Dh4MA9d:HhqkpWBgk9Dn0YfqMcJH66L5BPhy

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks