Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
20/03/2025, 08:51
General
-
Target
JaffaCakes118_82270aed949bda6503b1d0874a97a63b.exe
-
Size
608KB
-
MD5
82270aed949bda6503b1d0874a97a63b
-
SHA1
805e505169f34b2bf629f33fad0c38c6290e6af5
-
SHA256
f4cdf2802cab61411b1e2ccfd2059a48c98ccac2c9cecbd50431ab5c5f7664ed
-
SHA512
ecbc8d82ac578de53f30becde9273c83777cf893ea07f85d6710bb909ec9073dfd01c9ca2c9d7c03d10618ff7b2f4c4d10f09a156f8a3e34f20cdb51dec51af2
-
SSDEEP
12288:2RFj6uJsOFvz1ABs83aaAbhzANOF2+ZkzDolKS2gDFZofGZCC5fFQY:ZujvznbhkNeUolKS2g5/CCl
Malware Config
Extracted
darkcomet
Guest16
chitan.myftp.org:1604
DC_MUTEX-B1N7QHH
-
gencode
jGCG#1SnUzAK
-
install
false
-
offline_keylogger
false
-
password
hakima
-
persistence
false
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Molebox Virtualization software 1 IoCs
Detects file using Molebox Virtualization software.
-
Windows security modification 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82270aed949bda6503b1d0874a97a63b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82270aed949bda6503b1d0874a97a63b.exe"1⤵
- Modifies security service
- Windows security bypass
- Checks computer location settings
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82270aed949bda6503b1d0874a97a63b.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82270aed949bda6503b1d0874a97a63b.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
980KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
244KB
-
Filesize
4KB
-
Filesize
244KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
980KB
-
Filesize
980KB
-
Filesize
980KB
-
Filesize
980KB
-
Filesize
980KB
-
Filesize
980KB
-
Filesize
980KB
-
Filesize
980KB
-
Filesize
980KB
-
Filesize
980KB
-
Filesize
980KB
-
Filesize
980KB
-
Filesize
980KB
-
Filesize
980KB