Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f2395e55fc...18.exe

windows7-x64

10

f2395e55fc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/12/2024, 04:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe

  • Size

    3.2MB

  • MD5

    f2395e55fc1ed3d2eda2a3bdd13d8af6

  • SHA1

    bf5fa44a16a1ba7d772b6722552ed9525a965ee1

  • SHA256

    cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88

  • SHA512

    69334c6ee8df715b3373eb65f2aba85c4fbcf9fa9e6548b1b1910b646335cad97dfb36e553061aa756cc6dd881f63acff351464a515323227aa164342bb9724f

  • SSDEEP

    49152:9gYvvhIIP0qkE+ZZPhrXXi3kmPlfD34C7/tcHk3oFughjfqKw07txr18zoTC:9gYv55j43H+9k21cu6ughTqKw07tx2f

Score
10/10
darkcometrolleodiscoveryevasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

ROLLEO

C2

127.0.0.1:1607

109.226.126.84:1607
Mutex

DC_MUTEX-SR7HAR4

Attributes
  • InstallPath

    WindowsDefencer\Update.exe

  • gencode

    TeJuc1dkNHmJ

  • install

    true

  • offline_keylogger

    false

  • persistence

    true

  • reg_key

    Windows Defencer

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Users\Admin\AppData\Local\Temp\borodacraft.exe
      "C:\Users\Admin\AppData\Local\Temp\borodacraft.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2356
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\file.exe" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\file.exe" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2476
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2772
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2828
      • C:\Windows\SysWOW64\WindowsDefencer\Update.exe
        "C:\Windows\system32\WindowsDefencer\Update.exe"
        3⤵
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
          • Disables RegEdit via registry modification
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1828
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2300

Network

    No results found
  • 109.226.126.84:1607
    iexplore.exe
    152 B
     3
  • 127.0.0.1:1607
    iexplore.exe
  • 109.226.126.84:1607
    iexplore.exe
    152 B
     3
  • 127.0.0.1:1607
    iexplore.exe
  • 127.0.0.1:1607
    iexplore.exe
  • 109.226.126.84:1607
    iexplore.exe
    152 B
     3
  • 127.0.0.1:1607
    iexplore.exe
  • 109.226.126.84:1607
    iexplore.exe
    152 B
     3
  • 109.226.126.84:1607
    iexplore.exe
    152 B
     3
  • 127.0.0.1:1607
    iexplore.exe
  • 109.226.126.84:1607
    iexplore.exe
    152 B
     3
  • 127.0.0.1:1607
    iexplore.exe
  • 127.0.0.1:1607
    iexplore.exe
  • 109.226.126.84:1607
    iexplore.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\borodacraft.exe
    Filesize

    3.0MB

    MD5

    e01dfbe76c690a070ec522d0091a9b3a

    SHA1

    3233ef818c3cc27e07612b7db236b74798eca8f7

    SHA256

    f4d4b2be4cfc692bf9e3a48a93b038280d6dca1dc69956bcae3707abf97d1686

    SHA512

    ace329d994a6bc7317401e31d7f2e830e9bb17488891c3fc56c14e03b2a2e72b599b7b4f41cc2f59b781c22478e69461791e1a7ba14c27cd845567b3d5f8b406

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    Filesize

    252KB

    MD5

    49e04125173bdb0f292b0abb13db301d

    SHA1

    00bce84c8a0b6b71d03fa032aff71eb3500b2147

    SHA256

    f0bbed6d47a04063aa467df02a87991e25bf744ee0eec4e31cff20f1ac110a29

    SHA512

    af083f3620e1401f619314014405ed8ffe3a938e15c6a04fdf204c32d348f52d21ff36ed084ba6fcf0a6f292c3d12becee08c229fc4c9ac14b234f594a2bbeb9

    Download Submit

  • memory/1828-68-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2388-20-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2388-22-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2388-60-0x0000000003FF0000-0x00000000040A7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2388-111-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2796-63-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2796-66-0x0000000000230000-0x00000000002E7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2796-70-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/2828-55-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2828-27-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.