Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2024, 09:33 UTC

General

  • Target

    b059b04942a14a27223f4bb9149d8eb0_JaffaCakes118.exe

  • Size

    2.8MB

  • MD5

    b059b04942a14a27223f4bb9149d8eb0

  • SHA1

    45ddf1c31abf3aeb85a4f691a4a6569fa4703707

  • SHA256

    438d2ed17d7a6b8e0cb6267072fc2b8bf50c33d1507dc1849e9f1968f3acd287

  • SHA512

    f8711e971d5fb24662ee09ef70451eead70e2e9b3291ce0dadfac0824fd8ea3778fd6cb8991bc25e49c2d057ea256489a5664a606db455eca366ec19b7e865dd

  • SSDEEP

    49152:aELbVMTrOq4qQoJZdiyqcsxWjI9I/KTvUwhq5:a6b+f7QoPjIS/KTMwE

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

kbotdarkorbit.no-ip.org:10

189.186.45.5:10

192.168.1.196:10

Mutex

DC_MUTEX-RK3KJAL

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    CYK1BgXzzXZt

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 3 TTPs 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b059b04942a14a27223f4bb9149d8eb0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b059b04942a14a27223f4bb9149d8eb0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Users\Admin\AppData\Local\Temp\Pinguino.exe
      C:\Users\Admin\AppData\Local\Temp\Pinguino.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1808
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Modifies firewall policy service
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
          • System Location Discovery: System Language Discovery
          PID:540
    • C:\Users\Admin\AppData\Local\Temp\Pinguinino.exe
      C:\Users\Admin\AppData\Local\Temp\Pinguinino.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:2736

Network

  • flag-us
    DNS
    kbotdarkorbit.no-ip.org
    msdcsc.exe
    Remote address:
    8.8.8.8:53
    Request
    kbotdarkorbit.no-ip.org
    IN A
    Response
  • 189.186.45.5:10
    msdcsc.exe
    152 B
    3
  • 192.168.1.196:10
    msdcsc.exe
    152 B
    3
  • 189.186.45.5:10
    msdcsc.exe
    152 B
    3
  • 192.168.1.196:10
    msdcsc.exe
    152 B
    3
  • 189.186.45.5:10
    msdcsc.exe
    152 B
    3
  • 192.168.1.196:10
    msdcsc.exe
    152 B
    3
  • 189.186.45.5:10
    msdcsc.exe
    152 B
    3
  • 8.8.8.8:53
    kbotdarkorbit.no-ip.org
    dns
    msdcsc.exe
    69 B
    129 B
    1
    1

    DNS Request

    kbotdarkorbit.no-ip.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Pinguinino.exe

    Filesize

    2.0MB

    MD5

    912454c38854e21d9af16a272f5ef3e9

    SHA1

    50efd67b77951a0ab97da43307467aa369379b5e

    SHA256

    e1046e9aa8689c398dcd7a7f479b4c9d209e40f276217f63f1e0e2e7e09432db

    SHA512

    a3a3eaec78ded843013f2a21abdb44f3d3e71b0c2f9cb72088f23e31d1e70cd423df3aef4c92bdfb2609945918ccb520700796bc3f22ed52c5be7a535e965930

  • \Users\Admin\AppData\Local\Temp\Pinguino.exe

    Filesize

    758KB

    MD5

    d35174b7411449f97b526ed171d6efeb

    SHA1

    571ce1097e3f73a8aa0ad63ebf1cbe1230a407b3

    SHA256

    e0dc4f7eba7cb9c9c657e1ca70c51c5f3a25fe408cb90fa6f99807cfc24e67b9

    SHA512

    ae0a09328f6d60fb784b2ab02f92159a2dde928a024c978eacb2197ffa8d788f2cbaaac4e5d4afde353c34beac2c6a9b0e9a7d4156231491327f0c70edffa9f9

  • memory/540-82-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

  • memory/1808-19-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

  • memory/1808-34-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB

  • memory/2268-85-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2268-86-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2268-87-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2268-89-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

  • memory/2736-84-0x0000000000400000-0x0000000000609000-memory.dmp

    Filesize

    2.0MB

  • memory/2776-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

  • memory/2776-43-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.