Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
46s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/01/2025, 04:39
Behavioral task
behavioral1
Sample
JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe
-
Size
326KB
-
MD5
62b5b1e2ce552524d16787ac662426c7
-
SHA1
7ca9e8938473837bd293e64d5c0980eb34a552c9
-
SHA256
9018cde236258a5fa5b4be5a8a56d483a403b9324c779f98a9fb3898bc6ea1f8
-
SHA512
a50f6e283f969315ba8ccf538ddf15583e09c7a25f09ecb40da631db36fc47fa3de6906c4713903013962766354b103a9ec9afdac53aa010ddc1d04aa1b69221
-
SSDEEP
6144:SDVak0cSWDokL405WHaIEEGb6UqCDeCV88zqLhTfKXroSFK:S5xoz0RIje6UqU8D9TfKboSFK
Malware Config
Signatures
-
Darkcomet family
-
Executes dropped EXE 3 IoCs
pid Process 1632 flashp.exe 2904 flashp.exe 2104 flashp.exe -
Loads dropped DLL 15 IoCs
pid Process 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 1632 flashp.exe 1632 flashp.exe 1632 flashp.exe 1632 flashp.exe 1632 flashp.exe 2904 flashp.exe 2904 flashp.exe 2904 flashp.exe 2104 flashp.exe 2104 flashp.exe 2104 flashp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ds = "C:\\Users\\Admin\\AppData\\Roaming\\fs\\flashp.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1632 set thread context of 2104 1632 flashp.exe 35 PID 1632 set thread context of 2904 1632 flashp.exe 36 -
resource yara_rule behavioral1/memory/2744-0-0x0000000000400000-0x0000000000578000-memory.dmp upx behavioral1/files/0x0008000000015d07-34.dat upx behavioral1/memory/2744-40-0x0000000000400000-0x0000000000578000-memory.dmp upx behavioral1/memory/1632-42-0x0000000000400000-0x0000000000578000-memory.dmp upx behavioral1/memory/2104-80-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2104-54-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2104-52-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/1632-78-0x0000000000400000-0x0000000000578000-memory.dmp upx behavioral1/memory/2104-87-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2104-88-0x0000000000A60000-0x0000000000BD8000-memory.dmp upx behavioral1/memory/2104-90-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2104-83-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2104-49-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2104-92-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2104-91-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2104-94-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2104-96-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2104-98-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2104-100-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2104-102-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2104-104-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flashp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flashp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flashp.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2904 flashp.exe Token: SeIncreaseQuotaPrivilege 2104 flashp.exe Token: SeSecurityPrivilege 2104 flashp.exe Token: SeTakeOwnershipPrivilege 2104 flashp.exe Token: SeLoadDriverPrivilege 2104 flashp.exe Token: SeSystemProfilePrivilege 2104 flashp.exe Token: SeSystemtimePrivilege 2104 flashp.exe Token: SeProfSingleProcessPrivilege 2104 flashp.exe Token: SeIncBasePriorityPrivilege 2104 flashp.exe Token: SeCreatePagefilePrivilege 2104 flashp.exe Token: SeBackupPrivilege 2104 flashp.exe Token: SeRestorePrivilege 2104 flashp.exe Token: SeShutdownPrivilege 2104 flashp.exe Token: SeDebugPrivilege 2104 flashp.exe Token: SeSystemEnvironmentPrivilege 2104 flashp.exe Token: SeChangeNotifyPrivilege 2104 flashp.exe Token: SeRemoteShutdownPrivilege 2104 flashp.exe Token: SeUndockPrivilege 2104 flashp.exe Token: SeManageVolumePrivilege 2104 flashp.exe Token: SeImpersonatePrivilege 2104 flashp.exe Token: SeCreateGlobalPrivilege 2104 flashp.exe Token: 33 2104 flashp.exe Token: 34 2104 flashp.exe Token: 35 2104 flashp.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 1632 flashp.exe 2904 flashp.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2820 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 31 PID 2744 wrote to memory of 2820 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 31 PID 2744 wrote to memory of 2820 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 31 PID 2744 wrote to memory of 2820 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 31 PID 2744 wrote to memory of 2820 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 31 PID 2744 wrote to memory of 2820 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 31 PID 2744 wrote to memory of 2820 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 31 PID 2820 wrote to memory of 2976 2820 cmd.exe 33 PID 2820 wrote to memory of 2976 2820 cmd.exe 33 PID 2820 wrote to memory of 2976 2820 cmd.exe 33 PID 2820 wrote to memory of 2976 2820 cmd.exe 33 PID 2820 wrote to memory of 2976 2820 cmd.exe 33 PID 2820 wrote to memory of 2976 2820 cmd.exe 33 PID 2820 wrote to memory of 2976 2820 cmd.exe 33 PID 2744 wrote to memory of 1632 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 34 PID 2744 wrote to memory of 1632 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 34 PID 2744 wrote to memory of 1632 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 34 PID 2744 wrote to memory of 1632 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 34 PID 2744 wrote to memory of 1632 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 34 PID 2744 wrote to memory of 1632 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 34 PID 2744 wrote to memory of 1632 2744 JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe 34 PID 1632 wrote to memory of 2104 1632 flashp.exe 35 PID 1632 wrote to memory of 2104 1632 flashp.exe 35 PID 1632 wrote to memory of 2104 1632 flashp.exe 35 PID 1632 wrote to memory of 2104 1632 flashp.exe 35 PID 1632 wrote to memory of 2104 1632 flashp.exe 35 PID 1632 wrote to memory of 2104 1632 flashp.exe 35 PID 1632 wrote to memory of 2104 1632 flashp.exe 35 PID 1632 wrote to memory of 2104 1632 flashp.exe 35 PID 1632 wrote to memory of 2104 1632 flashp.exe 35 PID 1632 wrote to memory of 2104 1632 flashp.exe 35 PID 1632 wrote to memory of 2104 1632 flashp.exe 35 PID 1632 wrote to memory of 2904 1632 flashp.exe 36 PID 1632 wrote to memory of 2904 1632 flashp.exe 36 PID 1632 wrote to memory of 2904 1632 flashp.exe 36 PID 1632 wrote to memory of 2904 1632 flashp.exe 36 PID 1632 wrote to memory of 2904 1632 flashp.exe 36 PID 1632 wrote to memory of 2904 1632 flashp.exe 36 PID 1632 wrote to memory of 2904 1632 flashp.exe 36 PID 1632 wrote to memory of 2904 1632 flashp.exe 36 PID 1632 wrote to memory of 2904 1632 flashp.exe 36 PID 1632 wrote to memory of 2904 1632 flashp.exe 36 PID 1632 wrote to memory of 2904 1632 flashp.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_62b5b1e2ce552524d16787ac662426c7.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259451721.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ds" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\fs\flashp.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2976
-
-
-
C:\Users\Admin\AppData\Roaming\fs\flashp.exe"C:\Users\Admin\AppData\Roaming\fs\flashp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Roaming\fs\flashp.exeC:\Users\Admin\AppData\Roaming\fs\flashp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Users\Admin\AppData\Roaming\fs\flashp.exeC:\Users\Admin\AppData\Roaming\fs\flashp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2904
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
131B
MD584912171051fbf66f6ed7554cbbb3ee9
SHA12aa96b932c6c2cfa6bc258b7b8f6f03a1385684a
SHA256044ed6fcfbde2d33eb821338bafb5cbbf7b1e7c07059165d314dcaff8c0a5a78
SHA5121219b17147a6c67a1d4892751a6a537415873c197b4e427341db08cf59a8d7447251eb8a35a8c6873267910c329d7e8ee2cd30a49ecd642819a2a297bb93ab6c
-
Filesize
326KB
MD562b5b1e2ce552524d16787ac662426c7
SHA17ca9e8938473837bd293e64d5c0980eb34a552c9
SHA2569018cde236258a5fa5b4be5a8a56d483a403b9324c779f98a9fb3898bc6ea1f8
SHA512a50f6e283f969315ba8ccf538ddf15583e09c7a25f09ecb40da631db36fc47fa3de6906c4713903013962766354b103a9ec9afdac53aa010ddc1d04aa1b69221