Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    JaffaCakes118_739720bba3b531acc147168b2c1e3989

  • Size

    648KB

  • Sample

    250314-h1781avzgy

  • MD5

    739720bba3b531acc147168b2c1e3989

  • SHA1

    d92cb4d1c4c20984fe5c73fd9d3b14ca06923990

  • SHA256

    c81542a91c35544e0702d4a3a921bd513b9e489a24e4a6a2b8470f7b68a8b091

  • SHA512

    fd2d78bc82092eaf615aaf645e4283a91e76eb87bf83069537ea27ecffd7b3b321485ad48f1ae969629fad42d2d93fee8017a4d590c07d4a11c47697cf8ec92e

  • SSDEEP

    12288:c6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfhd:xAmBpVKHu0Mu9Xo20VGLVP5d

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

fangtbn.no-ip.org:1604

Mutex

DC_MUTEX-Y6H1WRZ

Attributes
  • InstallPath

    Windows\explorer.exe

  • gencode

    1=j0e-X*0puG

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    WIN

rc4.plain

Targets

    • Target

      JaffaCakes118_739720bba3b531acc147168b2c1e3989

    • Size

      648KB

    • MD5

      739720bba3b531acc147168b2c1e3989

    • SHA1

      d92cb4d1c4c20984fe5c73fd9d3b14ca06923990

    • SHA256

      c81542a91c35544e0702d4a3a921bd513b9e489a24e4a6a2b8470f7b68a8b091

    • SHA512

      fd2d78bc82092eaf615aaf645e4283a91e76eb87bf83069537ea27ecffd7b3b321485ad48f1ae969629fad42d2d93fee8017a4d590c07d4a11c47697cf8ec92e

    • SSDEEP

      12288:c6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfhd:xAmBpVKHu0Mu9Xo20VGLVP5d

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks