Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2025, 18:31

General

  • Target

    JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe

  • Size

    797KB

  • MD5

    7b2c058c92c0bfcdc36f6eb6bcd0f66b

  • SHA1

    c7eb1f8c37df44d4f5560f1734dafdd12ed6477e

  • SHA256

    776d7d11b5d27b5b3a713f3839fd7128e05fa6a9134fa2fed9b2928e59852322

  • SHA512

    328816178c32125b73c01d03bd9670ae703e3a35c11c53e0ebbe43a9739b14ba2e77fa26be0cf215add3e2766035342253d668cb5b3f3012a172c18e60e8bec4

  • SSDEEP

    12288:QQLcijICEZ+6vFkqeXGvyxngsm/CEUCR264lGYxtFYB6dsqvPMySJR2SePaG1vhW:ZcfZxFTKn8/+CR26gGYxUYFvPMygGBW

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

imdaco.no-ip.org:1604

Mutex

DC_MUTEX-L9KM9Y7

Attributes
  • InstallPath

    MSDCS\Rundll32.exe

  • gencode

    LJp33LCadVtB

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Rundll32

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      2⤵
      • Modifies WinLogon for persistence
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2632
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:580
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2740
      • C:\MSDCS\Rundll32.exe
        "C:\MSDCS\Rundll32.exe"
        3⤵
        • Executes dropped EXE
        PID:1580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSDCS\Rundll32.exe

    Filesize

    75KB

    MD5

    3d7d2e825c63ff501e896cf008c70d75

    SHA1

    24e1e56df2c1e85b224b4360235513e79f03d3fc

    SHA256

    037fc52b8fc6089338eb456f2b45638ed36c42a4dca7ace391d166b2329838a1

    SHA512

    57d06b2226221162e0b54eeea3de13af6386bd632d16f6ec0666da81e8e177157a778caf0e3df0fe6368ea0b0fd93dae92cbe3cbb8c484f9e1107ba371301f21

  • memory/2720-10-0x0000000074010000-0x00000000745BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2720-1-0x0000000074010000-0x00000000745BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2720-2-0x0000000074010000-0x00000000745BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2720-0-0x0000000074011000-0x0000000074012000-memory.dmp

    Filesize

    4KB

  • memory/2740-26-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

  • memory/2740-12-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

  • memory/2804-3-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2804-7-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2804-6-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2804-5-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2804-4-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

  • memory/2804-32-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB