Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/12/2024, 04:10
Static task
static1
Behavioral task
behavioral1
Sample
f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe
-
Size
3.2MB
-
MD5
f2395e55fc1ed3d2eda2a3bdd13d8af6
-
SHA1
bf5fa44a16a1ba7d772b6722552ed9525a965ee1
-
SHA256
cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88
-
SHA512
69334c6ee8df715b3373eb65f2aba85c4fbcf9fa9e6548b1b1910b646335cad97dfb36e553061aa756cc6dd881f63acff351464a515323227aa164342bb9724f
-
SSDEEP
49152:9gYvvhIIP0qkE+ZZPhrXXi3kmPlfD34C7/tcHk3oFughjfqKw07txr18zoTC:9gYv55j43H+9k21cu6ughTqKw07tx2f
Malware Config
Extracted
darkcomet
ROLLEO
127.0.0.1:1607
109.226.126.84:1607
DC_MUTEX-SR7HAR4
-
InstallPath
WindowsDefencer\Update.exe
-
gencode
TeJuc1dkNHmJ
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
Windows Defencer
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WindowsDefencer\\Update.exe" file.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Update.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3636 attrib.exe 4936 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 3 IoCs
pid Process 3016 borodacraft.exe 3844 file.exe 1636 Update.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defencer = "C:\\Windows\\system32\\WindowsDefencer\\Update.exe" Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defencer = "C:\\Windows\\system32\\WindowsDefencer\\Update.exe" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ELLDCJEGAHOIGNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe" f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defencer = "C:\\Windows\\system32\\WindowsDefencer\\Update.exe" file.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsDefencer\Update.exe file.exe File opened for modification C:\Windows\SysWOW64\WindowsDefencer\Update.exe file.exe File opened for modification C:\Windows\SysWOW64\WindowsDefencer\ file.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1636 set thread context of 3120 1636 Update.exe 92 -
resource yara_rule behavioral2/files/0x0007000000023c9e-16.dat upx behavioral2/memory/3844-23-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3120-88-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/1636-90-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3844-93-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language borodacraft.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ file.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3844 file.exe Token: SeSecurityPrivilege 3844 file.exe Token: SeTakeOwnershipPrivilege 3844 file.exe Token: SeLoadDriverPrivilege 3844 file.exe Token: SeSystemProfilePrivilege 3844 file.exe Token: SeSystemtimePrivilege 3844 file.exe Token: SeProfSingleProcessPrivilege 3844 file.exe Token: SeIncBasePriorityPrivilege 3844 file.exe Token: SeCreatePagefilePrivilege 3844 file.exe Token: SeBackupPrivilege 3844 file.exe Token: SeRestorePrivilege 3844 file.exe Token: SeShutdownPrivilege 3844 file.exe Token: SeDebugPrivilege 3844 file.exe Token: SeSystemEnvironmentPrivilege 3844 file.exe Token: SeChangeNotifyPrivilege 3844 file.exe Token: SeRemoteShutdownPrivilege 3844 file.exe Token: SeUndockPrivilege 3844 file.exe Token: SeManageVolumePrivilege 3844 file.exe Token: SeImpersonatePrivilege 3844 file.exe Token: SeCreateGlobalPrivilege 3844 file.exe Token: 33 3844 file.exe Token: 34 3844 file.exe Token: 35 3844 file.exe Token: 36 3844 file.exe Token: SeIncreaseQuotaPrivilege 1636 Update.exe Token: SeSecurityPrivilege 1636 Update.exe Token: SeTakeOwnershipPrivilege 1636 Update.exe Token: SeLoadDriverPrivilege 1636 Update.exe Token: SeSystemProfilePrivilege 1636 Update.exe Token: SeSystemtimePrivilege 1636 Update.exe Token: SeProfSingleProcessPrivilege 1636 Update.exe Token: SeIncBasePriorityPrivilege 1636 Update.exe Token: SeCreatePagefilePrivilege 1636 Update.exe Token: SeBackupPrivilege 1636 Update.exe Token: SeRestorePrivilege 1636 Update.exe Token: SeShutdownPrivilege 1636 Update.exe Token: SeDebugPrivilege 1636 Update.exe Token: SeSystemEnvironmentPrivilege 1636 Update.exe Token: SeChangeNotifyPrivilege 1636 Update.exe Token: SeRemoteShutdownPrivilege 1636 Update.exe Token: SeUndockPrivilege 1636 Update.exe Token: SeManageVolumePrivilege 1636 Update.exe Token: SeImpersonatePrivilege 1636 Update.exe Token: SeCreateGlobalPrivilege 1636 Update.exe Token: 33 1636 Update.exe Token: 34 1636 Update.exe Token: 35 1636 Update.exe Token: 36 1636 Update.exe Token: SeIncreaseQuotaPrivilege 3120 iexplore.exe Token: SeSecurityPrivilege 3120 iexplore.exe Token: SeTakeOwnershipPrivilege 3120 iexplore.exe Token: SeLoadDriverPrivilege 3120 iexplore.exe Token: SeSystemProfilePrivilege 3120 iexplore.exe Token: SeSystemtimePrivilege 3120 iexplore.exe Token: SeProfSingleProcessPrivilege 3120 iexplore.exe Token: SeIncBasePriorityPrivilege 3120 iexplore.exe Token: SeCreatePagefilePrivilege 3120 iexplore.exe Token: SeBackupPrivilege 3120 iexplore.exe Token: SeRestorePrivilege 3120 iexplore.exe Token: SeShutdownPrivilege 3120 iexplore.exe Token: SeDebugPrivilege 3120 iexplore.exe Token: SeSystemEnvironmentPrivilege 3120 iexplore.exe Token: SeChangeNotifyPrivilege 3120 iexplore.exe Token: SeRemoteShutdownPrivilege 3120 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1476 wrote to memory of 3016 1476 f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe 82 PID 1476 wrote to memory of 3016 1476 f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe 82 PID 1476 wrote to memory of 3016 1476 f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe 82 PID 1476 wrote to memory of 3844 1476 f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe 83 PID 1476 wrote to memory of 3844 1476 f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe 83 PID 1476 wrote to memory of 3844 1476 f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe 83 PID 3844 wrote to memory of 3744 3844 file.exe 84 PID 3844 wrote to memory of 3744 3844 file.exe 84 PID 3844 wrote to memory of 3744 3844 file.exe 84 PID 3844 wrote to memory of 3476 3844 file.exe 86 PID 3844 wrote to memory of 3476 3844 file.exe 86 PID 3844 wrote to memory of 3476 3844 file.exe 86 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3844 wrote to memory of 4884 3844 file.exe 87 PID 3744 wrote to memory of 3636 3744 cmd.exe 89 PID 3744 wrote to memory of 3636 3744 cmd.exe 89 PID 3744 wrote to memory of 3636 3744 cmd.exe 89 PID 3476 wrote to memory of 4936 3476 cmd.exe 90 PID 3476 wrote to memory of 4936 3476 cmd.exe 90 PID 3476 wrote to memory of 4936 3476 cmd.exe 90 PID 3844 wrote to memory of 1636 3844 file.exe 91 PID 3844 wrote to memory of 1636 3844 file.exe 91 PID 3844 wrote to memory of 1636 3844 file.exe 91 PID 1636 wrote to memory of 3120 1636 Update.exe 92 PID 1636 wrote to memory of 3120 1636 Update.exe 92 PID 1636 wrote to memory of 3120 1636 Update.exe 92 PID 1636 wrote to memory of 3120 1636 Update.exe 92 PID 1636 wrote to memory of 3120 1636 Update.exe 92 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 PID 3120 wrote to memory of 2528 3120 iexplore.exe 93 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4936 attrib.exe 3636 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f2395e55fc1ed3d2eda2a3bdd13d8af6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\borodacraft.exe"C:\Users\Admin\AppData\Local\Temp\borodacraft.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\file.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\file.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3636
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4936
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:4884
-
-
C:\Windows\SysWOW64\WindowsDefencer\Update.exe"C:\Windows\system32\WindowsDefencer\Update.exe"3⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- System Location Discovery: System Language Discovery
PID:2528
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5e01dfbe76c690a070ec522d0091a9b3a
SHA13233ef818c3cc27e07612b7db236b74798eca8f7
SHA256f4d4b2be4cfc692bf9e3a48a93b038280d6dca1dc69956bcae3707abf97d1686
SHA512ace329d994a6bc7317401e31d7f2e830e9bb17488891c3fc56c14e03b2a2e72b599b7b4f41cc2f59b781c22478e69461791e1a7ba14c27cd845567b3d5f8b406
-
Filesize
252KB
MD549e04125173bdb0f292b0abb13db301d
SHA100bce84c8a0b6b71d03fa032aff71eb3500b2147
SHA256f0bbed6d47a04063aa467df02a87991e25bf744ee0eec4e31cff20f1ac110a29
SHA512af083f3620e1401f619314014405ed8ffe3a938e15c6a04fdf204c32d348f52d21ff36ed084ba6fcf0a6f292c3d12becee08c229fc4c9ac14b234f594a2bbeb9