Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

b059b04942...18.exe

windows7-x64

10

b059b04942...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2024, 09:33 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b059b04942a14a27223f4bb9149d8eb0_JaffaCakes118.exe

  • Size

    2.8MB

  • MD5

    b059b04942a14a27223f4bb9149d8eb0

  • SHA1

    45ddf1c31abf3aeb85a4f691a4a6569fa4703707

  • SHA256

    438d2ed17d7a6b8e0cb6267072fc2b8bf50c33d1507dc1849e9f1968f3acd287

  • SHA512

    f8711e971d5fb24662ee09ef70451eead70e2e9b3291ce0dadfac0824fd8ea3778fd6cb8991bc25e49c2d057ea256489a5664a606db455eca366ec19b7e865dd

  • SSDEEP

    49152:aELbVMTrOq4qQoJZdiyqcsxWjI9I/KTvUwhq5:a6b+f7QoPjIS/KTMwE

Score
10/10
darkcometguest16discoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

kbotdarkorbit.no-ip.org:10

189.186.45.5:10

192.168.1.196:10
Mutex

DC_MUTEX-RK3KJAL

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    CYK1BgXzzXZt

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b059b04942a14a27223f4bb9149d8eb0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b059b04942a14a27223f4bb9149d8eb0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Users\Admin\AppData\Local\Temp\Pinguino.exe
      C:\Users\Admin\AppData\Local\Temp\Pinguino.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1808
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Modifies firewall policy service
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
          • System Location Discovery: System Language Discovery
          PID:540
    • C:\Users\Admin\AppData\Local\Temp\Pinguinino.exe
      C:\Users\Admin\AppData\Local\Temp\Pinguinino.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:2736

Network

  • flag-us
    DNS
    kbotdarkorbit.no-ip.org
    msdcsc.exe
    Remote address:
    8.8.8.8:53
    Request
    kbotdarkorbit.no-ip.org
    IN A
    Response
  • 189.186.45.5:10
    msdcsc.exe
    152 B
     3
  • 192.168.1.196:10
    msdcsc.exe
    152 B
     3
  • 189.186.45.5:10
    msdcsc.exe
    152 B
     3
  • 192.168.1.196:10
    msdcsc.exe
    152 B
     3
  • 189.186.45.5:10
    msdcsc.exe
    152 B
     3
  • 192.168.1.196:10
    msdcsc.exe
    152 B
     3
  • 189.186.45.5:10
    msdcsc.exe
    152 B
     3
  • 8.8.8.8:53
    kbotdarkorbit.no-ip.org
    dns
    msdcsc.exe
    69 B
     129 B
     1
    1

    DNS Request

    kbotdarkorbit.no-ip.org

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Pinguinino.exe
    Filesize

    2.0MB

    MD5

    912454c38854e21d9af16a272f5ef3e9

    SHA1

    50efd67b77951a0ab97da43307467aa369379b5e

    SHA256

    e1046e9aa8689c398dcd7a7f479b4c9d209e40f276217f63f1e0e2e7e09432db

    SHA512

    a3a3eaec78ded843013f2a21abdb44f3d3e71b0c2f9cb72088f23e31d1e70cd423df3aef4c92bdfb2609945918ccb520700796bc3f22ed52c5be7a535e965930

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Pinguino.exe
    Filesize

    758KB

    MD5

    d35174b7411449f97b526ed171d6efeb

    SHA1

    571ce1097e3f73a8aa0ad63ebf1cbe1230a407b3

    SHA256

    e0dc4f7eba7cb9c9c657e1ca70c51c5f3a25fe408cb90fa6f99807cfc24e67b9

    SHA512

    ae0a09328f6d60fb784b2ab02f92159a2dde928a024c978eacb2197ffa8d788f2cbaaac4e5d4afde353c34beac2c6a9b0e9a7d4156231491327f0c70edffa9f9

    Download Submit

  • memory/540-82-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1808-19-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1808-34-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2268-85-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

    Download

  • memory/2268-86-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

    Download

  • memory/2268-87-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

    Download

  • memory/2268-89-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

    Download

  • memory/2736-84-0x0000000000400000-0x0000000000609000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2776-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2776-43-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.