Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    31/01/2025, 07:59

General

  • Target

    JaffaCakes118_68288c29d8546aadc301eda4436def32.exe

  • Size

    2.4MB

  • MD5

    68288c29d8546aadc301eda4436def32

  • SHA1

    b2f25aa72549ab250213e20850aa3e5beab1928f

  • SHA256

    a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325

  • SHA512

    d6b17aea77d4df88af97cebc0ecc40ec5bdb4e79f3ed44378c47438216eb03082544375327a93551c92ebe9e8003814781194983d88c12c525c95104bfa0b369

  • SSDEEP

    49152:gX5TvrVpRCDhBeEJl+KVR/PKaF42Nt3XET4LTE7j5CS:gXxvrZeeEJRHa24sE71p

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68288c29d8546aadc301eda4436def32.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe
      "C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
        3⤵
        • Modifies WinLogon for persistence
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2676
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 624
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2240
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf

    Filesize

    194KB

    MD5

    8764991d86c925a5f8bbe847cd0f3cb3

    SHA1

    19e3f30d0baabc7c457fd61fecee8d1e8ab28d0e

    SHA256

    5e75cc26bca0932a6685e42e07d32b9e55c3eb3a4b4af5e2b80f0a48a4116f79

    SHA512

    f3f6f31f21935be78af1a792f45c481563a9653e624194588ff99e378cf7b0633fce7042e0b6dc01f04c14b4fa285964915e1b7ede8f29ae094b97cc15d11bdc

  • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

    Filesize

    72B

    MD5

    fce1348da4bb9cf3e1d986ef6497fe8c

    SHA1

    7f6b3383bd7e34ab31e82e1423a63a7776f147cf

    SHA256

    e6ab6964d84756b18c24e05d442ca43805260d167757edd856c3203e735c0733

    SHA512

    984cca90975f2b29dc2400532006700d765d0216b6e9c515a369548aa8835e476d963f4d95cbb3e04401c9a9ac94657bf1de3cf99dc455f67c0c2c4ec4c659be

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    9ca26a953524d1abfc9d14e27c485d54

    SHA1

    25a8f14424fb118c50965f35196d7cc19b9bdc00

    SHA256

    d8b8d7cfbd3a6d72c1b7d656b073be62347489914ef9c3cc2dd60c0823d0b8b1

    SHA512

    c9d51f931bf3123a2d971fa954ef05598e7bf428f394ba8589a725fc1e1bfb4f49c2f0a8baa12f2675f70288cfb52bbcb43d4eb6937feccd3dcaef7ddf9a13fd

  • \Users\Admin\AppData\Local\Temp\Transaction mangement.exe

    Filesize

    2.2MB

    MD5

    9a540f97fb137ff20426f30e8db62dc8

    SHA1

    1cd77f98dc2797cceb083e6b949261e2ea49fe4e

    SHA256

    d19447e7601934db1ce2038f15ad1a57835df5330d1f8780941b127fbde7cc59

    SHA512

    467bdac8408f6e1b66b7075f5b9ff09ba141782209d90ff6570187e41f52e38bfb0c1dfd08b8b5366f9a25257090cd28f187506b6d2e823afcde74539fe6ba0d

  • \Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe

    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

  • memory/2784-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2784-25-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2784-36-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2784-43-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2784-33-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2784-31-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2784-29-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2784-38-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2784-23-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2784-21-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2784-19-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2784-27-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2784-78-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2784-79-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB