Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 00:40 UTC

General

  • Target

    80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe

  • Size

    967KB

  • MD5

    80dba74db71df9c685d95d9ed424259b

  • SHA1

    a51676aaeb198e446cd3a5f30365e6ed7b01fbb4

  • SHA256

    c4c8030515830674d193bbc206b1e7e24f8b37fd3622bf0360c8ac898fbc09d6

  • SHA512

    f4214fc7ff2b50335a594564bbc247b80eddd4b04dd890a2feef090e8c8296893fe3caf85eb86a840d2210b448be3bf4502c6235eda26c1d17af91494c3ab1ea

  • SSDEEP

    24576:9thEVaPqLY2cWcOrcEMEsDhec44t+Ry34WyuHOiWzTt:lEVUcYycOYEMbec4E12JiWzTt

Malware Config

Extracted

Family

darkcomet

Botnet

BOT

C2

filmaaron.zapto.org:1604

Mutex

DC_MUTEX-763A3YD

Attributes
  • InstallPath

    Windows\explorer.exe

  • gencode

    dxbTSas2vRAQ

  • install

    true

  • offline_keylogger

    true

  • password

    0123456789

  • persistence

    true

  • reg_key

    Explorateur Windows

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 3 TTPs 3 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Users\Admin\AppData\Local\Temp\80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2820
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2868
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2924
      • C:\Users\Admin\AppData\Roaming\Windows\explorer.exe
        "C:\Users\Admin\AppData\Roaming\Windows\explorer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:388
        • C:\Users\Admin\AppData\Roaming\Windows\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Windows\explorer.exe"
          4⤵
          • Modifies firewall policy service
          • Modifies security service
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:1140

Network

  • flag-us
    DNS
    filmaaron.zapto.org
    explorer.exe
    Remote address:
    8.8.8.8:53
    Request
    filmaaron.zapto.org
    IN A
    Response
No results found
  • 8.8.8.8:53
    filmaaron.zapto.org
    dns
    explorer.exe
    65 B
    125 B
    1
    1

    DNS Request

    filmaaron.zapto.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cgkvpfa

    Filesize

    11KB

    MD5

    dc38f1bf50a20e861d3b563cacbf2349

    SHA1

    13bad534740048ffa4cdaff344334f9ebcaec531

    SHA256

    3400b825eedb7de3709f71a1a224d4a246054585cc2d0d1acbd86f7c78762269

    SHA512

    8f4f49ce4ecf1480f60fa38675296de77c156f15d2c918b8059f9ca19fd5a14de8d7cc958a82fc702e97bed4d08f235b905d2d6cd5eb47ad7671ae59e5511fcf

  • \Users\Admin\AppData\Roaming\Windows\explorer.exe

    Filesize

    967KB

    MD5

    80dba74db71df9c685d95d9ed424259b

    SHA1

    a51676aaeb198e446cd3a5f30365e6ed7b01fbb4

    SHA256

    c4c8030515830674d193bbc206b1e7e24f8b37fd3622bf0360c8ac898fbc09d6

    SHA512

    f4214fc7ff2b50335a594564bbc247b80eddd4b04dd890a2feef090e8c8296893fe3caf85eb86a840d2210b448be3bf4502c6235eda26c1d17af91494c3ab1ea

  • memory/388-85-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/1140-91-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1140-86-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1140-88-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/1140-87-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2592-27-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2592-0-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2876-26-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2876-17-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2876-12-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2876-22-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2876-10-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2876-8-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2876-89-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2876-14-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2876-18-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2876-24-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2876-29-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2876-28-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2876-21-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2924-51-0x0000000000010000-0x0000000000011000-memory.dmp

    Filesize

    4KB

  • memory/2924-33-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.