Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4cf74d9c58...18.exe

windows7-x64

10

4cf74d9c58...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/10/2024, 12:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cf74d9c5858ec807505f275a1c2233c_JaffaCakes118.exe

  • Size

    709KB

  • MD5

    4cf74d9c5858ec807505f275a1c2233c

  • SHA1

    a562d3c4649db10641573fda70151c6e2a07ac24

  • SHA256

    354d9c8829f6cec109e893dc0d508cb89255d50870b51fb7993e89dcd4f7e55f

  • SHA512

    7fde6f1f9f3a571a8b5a08fba3ab363506c696e7ee681dc45de832097fbb2694fdc5a305867c15133d7bfd6f1d6f9c3630bc88a7eeafe66a1708ebba22280cbf

  • SSDEEP

    12288:YMcUk+kRAc24fLzyxJc+N7z6dapztN29j2srAQaKKemQXYkHppp7ET:YXWk524DL07GdGq52MpKIXYkHpp

Score
10/10
darkcomet0708discoverypersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

0708

C2

ilogical.no-ip.org:1605

Mutex

DC_MUTEX-F3JQ150

Attributes
  • gencode

    CLvz5adYp95V

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cf74d9c5858ec807505f275a1c2233c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4cf74d9c5858ec807505f275a1c2233c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Local\Temp\AppLaunch\service.exe
      C:\Users\Admin\AppData\Local\Temp\\AppLaunch\service.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2820

Network

  • flag-us
    DNS
    ilogical.no-ip.org
    service.exe
    Remote address:
    8.8.8.8:53
    Request
    ilogical.no-ip.org
    IN A
    Response
No results found
  • 8.8.8.8:53
    ilogical.no-ip.org
    dns
    service.exe
    64 B
     124 B
     1
    1

    DNS Request

    ilogical.no-ip.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AppLaunch\service.exe
    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

    Download Submit

  • memory/2156-0-0x0000000073E51000-0x0000000073E52000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2156-1-0x0000000073E50000-0x00000000743FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2156-2-0x0000000073E50000-0x00000000743FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2156-3-0x0000000073E50000-0x00000000743FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2156-29-0x0000000073E50000-0x00000000743FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2156-28-0x0000000073E50000-0x00000000743FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2820-15-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-33-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-18-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-13-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-11-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-22-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-25-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-26-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-24-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-23-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-21-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-20-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-30-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-31-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-32-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-34-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-35-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-36-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-37-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-38-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-39-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-40-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-41-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-42-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-43-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-44-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-45-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2820-46-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.