Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...65.exe

windows7-x64

10

JaffaCakes...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2025, 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_7fb215db072c4d8e1a4c03595ae96565.exe

  • Size

    1.1MB

  • MD5

    7fb215db072c4d8e1a4c03595ae96565

  • SHA1

    799d1ff4580ffdb006f6e22cd65cc06df7bcc56f

  • SHA256

    23ff7de42ea09c954f36e8554632547c3365fe821e11bb1eac061e1115ba15d4

  • SHA512

    751e4fbda1270a5ccdc90eab5a4a85c47ee12f7f6b3a02438eb20f23d87b7f7f55407899f8b422a705e1460ca821a0bf28f5d61bfd02a60abe2ed58878dc4752

  • SSDEEP

    24576:tPGSY91VwNJcFMqTNnmJa4dMyMPy+mfeK15bSlC+3keG0q:1GJyV28KWfecFS9dG0q

Score
10/10
darkcometguest16defense_evasiondiscoveryrattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

myhost20.no-ip.biz:82

Mutex

DC_MUTEX-RCW2VGW

Attributes
  • gencode

    Xrr0dLuwBjSo

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies firewall policy service 3 TTPs 6 IoCs
    defense_evasion
  • Windows security bypass 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    defense_evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7fb215db072c4d8e1a4c03595ae96565.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7fb215db072c4d8e1a4c03595ae96565.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pSaltyDave""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Users\Admin\AppData\Roaming\7za.exe
        "C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pSaltyDave"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3284
    • C:\Users\Admin\AppData\Roaming\Server.exe
      C:\Users\Admin\AppData\Roaming\Server.exe
      2⤵
      • Modifies firewall policy service
      • Windows security bypass
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Users\Admin\AppData\Local\Temp\RUNESCAPE_PIN_GENERATOR.EXE
        "C:\Users\Admin\AppData\Local\Temp\RUNESCAPE_PIN_GENERATOR.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:5584
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Modifies firewall policy service
        • Windows security bypass
        • Checks BIOS information in registry
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RUNESCAPE_PIN_GENERATOR.EXE
    Filesize

    17KB

    MD5

    846e1b7dc70458fb6ed3c4d6e142a37b

    SHA1

    5cdd0bfab5d2eae9024108351ded70cf9cd9a6dc

    SHA256

    88b405cce56c850876746b98b31c2cfcf5f45fe1c985b2b07dedbb5a857ea5c3

    SHA512

    39246e3530e71064c113c8b9ba37d65612ad25cc68eb8311f492165a6ae5a309959c428bc337932b9f2ccf71ef17f51666fae05dd56f5f2209acf236663ddf79

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    652KB

    MD5

    21ddba4127fe33445b8b7507c50bb0ee

    SHA1

    0c19546e23a30ffed0adc2d025962632fffd459a

    SHA256

    c9107a0eb531e41fa3f8dc2d0ab6f1a7eed06152c7b294034da71cb7b479ea21

    SHA512

    71cbd6a274a00ff8486eae6adde4a822bfdb511142778ddaa0a0313b8838dffc7203e58db8ac9b8e8519083321c5f2c901c50f4c7a887f91789c78de67a40449

    Download Submit

  • C:\Users\Admin\AppData\Roaming\7za.exe
    Filesize

    574KB

    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Server.7z
    Filesize

    236KB

    MD5

    a898d62a3224792a3bf07e86e0a2f77a

    SHA1

    3d5d1b76b045a94c562a38948478208ab75b122e

    SHA256

    cfe4088808961634966dd549829b24cb699c4de254de5c128dd84928ad66e151

    SHA512

    17fd8c4eb4368ed057ea94eb2cb988c9a79a40458ab57d4e289d231c6aa66a5960d04f22d787a1df77e687fd8bc106a776f416fa2505fb0a4333796c717d4c35

    Download Submit

  • memory/3048-13-0x00000000022E0000-0x00000000022E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-35-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/3692-33-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/3692-34-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/3692-36-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/3692-37-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/3692-38-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/3692-32-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/5584-25-0x0000000072B7E000-0x0000000072B7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5584-31-0x00000000051A0000-0x00000000051F6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/5584-30-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5584-29-0x00000000050A0000-0x0000000005132000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5584-28-0x0000000005650000-0x0000000005BF4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5584-27-0x0000000005000000-0x000000000509C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5584-26-0x0000000000600000-0x000000000060C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/5584-39-0x0000000072B7E000-0x0000000072B7F000-memory.dmp

    Filesize

    4KB

    Download