Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    JaffaCakes118_85b477a0eb3a1110d2ee4523bfe14c1b

  • Size

    1.2MB

  • Sample

    250322-dm3ddazr18

  • MD5

    85b477a0eb3a1110d2ee4523bfe14c1b

  • SHA1

    ef00a334fab01e8a7e998540efced39ace82ec75

  • SHA256

    75a35c634b4438fa9f8f5f0a264a4af5e4942618721fe0b43617b84b369fc000

  • SHA512

    de9235dfe241049f848476db020626102464634b3379e0954d6ff7666683a63d5598279381596b1e3206303ffa144a59168a666a93c83c448d9c1cf99c8ffcf8

  • SSDEEP

    24576:nwQLyEvOM/mc6kz0ctbwSWftp2oUoX8EMiY4+lEIzh+Z7YniFyJ2i:nl0M+c6kz0ybE32oUoX80Y4+lEchw7v8

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.2.21:3724

Mutex

DC_MUTEX-1Y8LAW0

Attributes
  • InstallPath

    Dosya\server.exe

  • gencode

    fhFgVlj9fFca

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Server

rc4.plain

Extracted

Family

darkcomet

Attributes
  • gencode

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

rc4.plain

Targets

    • Target

      JaffaCakes118_85b477a0eb3a1110d2ee4523bfe14c1b

    • Size

      1.2MB

    • MD5

      85b477a0eb3a1110d2ee4523bfe14c1b

    • SHA1

      ef00a334fab01e8a7e998540efced39ace82ec75

    • SHA256

      75a35c634b4438fa9f8f5f0a264a4af5e4942618721fe0b43617b84b369fc000

    • SHA512

      de9235dfe241049f848476db020626102464634b3379e0954d6ff7666683a63d5598279381596b1e3206303ffa144a59168a666a93c83c448d9c1cf99c8ffcf8

    • SSDEEP

      24576:nwQLyEvOM/mc6kz0ctbwSWftp2oUoX8EMiY4+lEIzh+Z7YniFyJ2i:nl0M+c6kz0ybE32oUoX80Y4+lEchw7v8

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Modifies WinLogon for persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks