Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 00:40
Behavioral task
behavioral1
Sample
80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe
-
Size
967KB
-
MD5
80dba74db71df9c685d95d9ed424259b
-
SHA1
a51676aaeb198e446cd3a5f30365e6ed7b01fbb4
-
SHA256
c4c8030515830674d193bbc206b1e7e24f8b37fd3622bf0360c8ac898fbc09d6
-
SHA512
f4214fc7ff2b50335a594564bbc247b80eddd4b04dd890a2feef090e8c8296893fe3caf85eb86a840d2210b448be3bf4502c6235eda26c1d17af91494c3ab1ea
-
SSDEEP
24576:9thEVaPqLY2cWcOrcEMEsDhec44t+Ry34WyuHOiWzTt:lEVUcYycOYEMbec4E12JiWzTt
Malware Config
Extracted
darkcomet
BOT
filmaaron.zapto.org:1604
DC_MUTEX-763A3YD
-
InstallPath
Windows\explorer.exe
-
gencode
dxbTSas2vRAQ
-
install
true
-
offline_keylogger
true
-
password
0123456789
-
persistence
true
-
reg_key
Explorateur Windows
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windows\\explorer.exe" 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" explorer.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2820 attrib.exe 2868 attrib.exe -
Deletes itself 1 IoCs
pid Process 2924 notepad.exe -
Executes dropped EXE 2 IoCs
pid Process 388 explorer.exe 1140 explorer.exe -
Loads dropped DLL 1 IoCs
pid Process 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorateur Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\explorer.exe" 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorateur Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\explorer.exe" explorer.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2592-27-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe behavioral1/memory/388-85-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2592 set thread context of 2876 2592 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 30 PID 388 set thread context of 1140 388 explorer.exe 39 -
resource yara_rule behavioral1/memory/2592-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/memory/2592-27-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral1/files/0x0031000000018bbf-53.dat upx behavioral1/memory/388-85-0x0000000000400000-0x00000000004C2000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeSecurityPrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeSystemtimePrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeBackupPrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeRestorePrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeShutdownPrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeDebugPrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeUndockPrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeManageVolumePrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeImpersonatePrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: 33 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: 34 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: 35 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1140 explorer.exe Token: SeSecurityPrivilege 1140 explorer.exe Token: SeTakeOwnershipPrivilege 1140 explorer.exe Token: SeLoadDriverPrivilege 1140 explorer.exe Token: SeSystemProfilePrivilege 1140 explorer.exe Token: SeSystemtimePrivilege 1140 explorer.exe Token: SeProfSingleProcessPrivilege 1140 explorer.exe Token: SeIncBasePriorityPrivilege 1140 explorer.exe Token: SeCreatePagefilePrivilege 1140 explorer.exe Token: SeBackupPrivilege 1140 explorer.exe Token: SeRestorePrivilege 1140 explorer.exe Token: SeShutdownPrivilege 1140 explorer.exe Token: SeDebugPrivilege 1140 explorer.exe Token: SeSystemEnvironmentPrivilege 1140 explorer.exe Token: SeChangeNotifyPrivilege 1140 explorer.exe Token: SeRemoteShutdownPrivilege 1140 explorer.exe Token: SeUndockPrivilege 1140 explorer.exe Token: SeManageVolumePrivilege 1140 explorer.exe Token: SeImpersonatePrivilege 1140 explorer.exe Token: SeCreateGlobalPrivilege 1140 explorer.exe Token: 33 1140 explorer.exe Token: 34 1140 explorer.exe Token: 35 1140 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1140 explorer.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2876 2592 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2876 2592 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2876 2592 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2876 2592 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2876 2592 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2876 2592 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2876 2592 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2876 2592 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2876 2592 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2876 2592 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2876 2592 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 30 PID 2592 wrote to memory of 2876 2592 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 30 PID 2876 wrote to memory of 2908 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 31 PID 2876 wrote to memory of 2908 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 31 PID 2876 wrote to memory of 2908 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 31 PID 2876 wrote to memory of 2908 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 31 PID 2876 wrote to memory of 2372 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 33 PID 2876 wrote to memory of 2372 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 33 PID 2876 wrote to memory of 2372 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 33 PID 2876 wrote to memory of 2372 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 33 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2876 wrote to memory of 2924 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 35 PID 2908 wrote to memory of 2820 2908 cmd.exe 36 PID 2908 wrote to memory of 2820 2908 cmd.exe 36 PID 2908 wrote to memory of 2820 2908 cmd.exe 36 PID 2908 wrote to memory of 2820 2908 cmd.exe 36 PID 2372 wrote to memory of 2868 2372 cmd.exe 37 PID 2372 wrote to memory of 2868 2372 cmd.exe 37 PID 2372 wrote to memory of 2868 2372 cmd.exe 37 PID 2372 wrote to memory of 2868 2372 cmd.exe 37 PID 2876 wrote to memory of 388 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 38 PID 2876 wrote to memory of 388 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 38 PID 2876 wrote to memory of 388 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 38 PID 2876 wrote to memory of 388 2876 80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe 38 PID 388 wrote to memory of 1140 388 explorer.exe 39 PID 388 wrote to memory of 1140 388 explorer.exe 39 PID 388 wrote to memory of 1140 388 explorer.exe 39 PID 388 wrote to memory of 1140 388 explorer.exe 39 PID 388 wrote to memory of 1140 388 explorer.exe 39 PID 388 wrote to memory of 1140 388 explorer.exe 39 PID 388 wrote to memory of 1140 388 explorer.exe 39 PID 388 wrote to memory of 1140 388 explorer.exe 39 PID 388 wrote to memory of 1140 388 explorer.exe 39 PID 388 wrote to memory of 1140 388 explorer.exe 39 PID 388 wrote to memory of 1140 388 explorer.exe 39 PID 388 wrote to memory of 1140 388 explorer.exe 39 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" explorer.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2820 attrib.exe 2868 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\80dba74db71df9c685d95d9ed424259b_JaffaCakes118.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2868
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2924
-
-
C:\Users\Admin\AppData\Roaming\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Windows\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Roaming\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Windows\explorer.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1140
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5dc38f1bf50a20e861d3b563cacbf2349
SHA113bad534740048ffa4cdaff344334f9ebcaec531
SHA2563400b825eedb7de3709f71a1a224d4a246054585cc2d0d1acbd86f7c78762269
SHA5128f4f49ce4ecf1480f60fa38675296de77c156f15d2c918b8059f9ca19fd5a14de8d7cc958a82fc702e97bed4d08f235b905d2d6cd5eb47ad7671ae59e5511fcf
-
Filesize
967KB
MD580dba74db71df9c685d95d9ed424259b
SHA1a51676aaeb198e446cd3a5f30365e6ed7b01fbb4
SHA256c4c8030515830674d193bbc206b1e7e24f8b37fd3622bf0360c8ac898fbc09d6
SHA512f4214fc7ff2b50335a594564bbc247b80eddd4b04dd890a2feef090e8c8296893fe3caf85eb86a840d2210b448be3bf4502c6235eda26c1d17af91494c3ab1ea