Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

JaffaCakes...f9.exe

windows7-x64

10

JaffaCakes...f9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2025, 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_71fe7001a5a0173586e57724323086f9.exe

  • Size

    763KB

  • MD5

    71fe7001a5a0173586e57724323086f9

  • SHA1

    95b565cc9b543e4b839afb61d28f395b2caa3901

  • SHA256

    b342f8987e50c0b71382b1ca6b162b77b94a7415e1cfab565f902018d6a992e0

  • SHA512

    fc0190766a15c455f1fb08f5c039c9a5ccb7f88e4d105531526e6389f73b28f55ce915551eb7a49f3138f26141307c3ce387fa89e3c0ca3a7c7941199564f007

  • SSDEEP

    12288:h4dMRU/UP4heFjLDFtvoSZuUXZRY49SA7GI/p7a6o2Mhi9dl7Lue1VQbhUVzoWCC:qwU/UwhWvBXZpSRSJo2xL7TA7QV

Score
10/10
darkcometguest16defense_evasiondiscoverypersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

108.34.128.228:81

Mutex

DC_MUTEX-F54S21D

Attributes
  • InstallPath

    Windupdt\winupdate.exe

  • gencode

    6-N5MZ9h6NWr

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    winupdater

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 3 IoCs
    defense_evasion
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Windows security bypass 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    defense_evasion
  • Disables Task Manager via registry modification
    defense_evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 3 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71fe7001a5a0173586e57724323086f9.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71fe7001a5a0173586e57724323086f9.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5880
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Users\Admin\AppData\Roaming\7za.exe
        "C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2572
    • C:\Users\Admin\AppData\Roaming\Server.exe
      C:\Users\Admin\AppData\Roaming\Server.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
          PID:644
        • C:\Windupdt\winupdate.exe
          "C:\Windupdt\winupdate.exe"
          3⤵
          • Modifies firewall policy service
          • Modifies security service
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4612
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\SysWOW64\explorer.exe"
            4⤵
              PID:4816
          • C:\Windows\SysWOW64\ping.exe
            ping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Roaming\Server.exe"
            3⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4680

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Defense Evasion

      Impair Defenses

      3
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Disable or Modify Tools

      2
      T1562.001

      Modify Registry

      7
      T1112

      Credential Access

      Discovery

      Query Registry

      4
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      5
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        Filesize

        250KB

        MD5

        7a5d128765b380eeb02bf0d05024b0ca

        SHA1

        6ecbe69755cd3075f320a3754f9ba9762cd7629a

        SHA256

        887683ae2a3a2f36b5e5a3b1082809d3a7e6a29a1a2e7a680bf9903b09e27f77

        SHA512

        2448b47f1c082596fc7bfb25edab4c5607b741273af6f3e40bc64a640d0deb18c548aee0265e3a0fdda20df59431c9494d8b154c9c43c1f2da28ad8dc62603e2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\7za.exe
        Filesize

        574KB

        MD5

        42badc1d2f03a8b1e4875740d3d49336

        SHA1

        cee178da1fb05f99af7a3547093122893bd1eb46

        SHA256

        c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

        SHA512

        6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Server.7z
        Filesize

        226KB

        MD5

        b74e7d6048ec86394e5357ac44d4981b

        SHA1

        1caab0d74da8c2ee14acec8a2ebeb7ae396c736e

        SHA256

        b07f8ceb889d6b3f1b024154045b929a2c4096b6106763f31780270989cec29a

        SHA512

        d6a3f7a656394620f5fcdd3f68f6f164b3f061797673f5cc066569e0b71030bb50274b9ba0a0326ff5c8fe9638c14cb83ee67c7337c8248d1f44dc3b4ee7481e

        Download Submit

      • memory/4392-54-0x00000000001C0000-0x00000000001C3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4392-14-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

        Download

      • memory/4392-15-0x00000000001C0000-0x00000000001C3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4392-16-0x00000000007F0000-0x00000000007F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4392-53-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

        Download

      • memory/4612-61-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

        Download

      • memory/4612-51-0x00000000001C0000-0x00000000001C3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4612-58-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

        Download

      • memory/4612-59-0x00000000001C0000-0x00000000001C3000-memory.dmp

        Filesize

        12KB

        Download

      • memory/4612-63-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

        Download

      • memory/4612-65-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

        Download

      • memory/4612-67-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

        Download

      • memory/4612-69-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

        Download

      • memory/4612-71-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

        Download

      • memory/5880-55-0x0000000000400000-0x0000000000484000-memory.dmp

        Filesize

        528KB

        Download

      • memory/5880-56-0x0000000000400000-0x0000000000484000-memory.dmp

        Filesize

        528KB

        Download

      • memory/5880-57-0x0000000000400000-0x0000000000484000-memory.dmp

        Filesize

        528KB

        Download

      • memory/5880-0-0x0000000000400000-0x0000000000484000-memory.dmp

        Filesize

        528KB

        Download