Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/01/2025, 06:46
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe
-
Size
952KB
-
MD5
63512ecc60dd21d0333b2dc7003f48a0
-
SHA1
636af8d4b6b9f19270d33a9bd611c19d153f1a17
-
SHA256
44cc68e03116de75d0c38f690ed6f09513d007422b938025f9933ad2b0239409
-
SHA512
bf79d24731c864cda3b756c66c5c4a14aa4601bd2130fbd521ea655e7b398d47337f24b3ad5fb3aa7e550cabc7e1557c5ba4a487a72d3d11c86ae16f3d13c520
-
SSDEEP
12288:byyy7Z3z4I8NXOGjwwG/ZjXsAHHz79p9NM5Tz103j2CF4TxQUOfhVPOSAE//VAci:baCI2OewFJN4mkxyHnnew1SatLRzD
Malware Config
Signatures
-
Darkcomet family
-
Executes dropped EXE 3 IoCs
pid Process 3540 micoffice.exe 2956 micoffice.exe 3296 micoffice.exe -
Loads dropped DLL 7 IoCs
pid Process 3308 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 3308 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 3308 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 3308 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 3308 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 3540 micoffice.exe 3540 micoffice.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\msoffice = "C:\\Users\\Admin\\AppData\\Roaming\\MicrosoftOffice\\micoffice.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3012 set thread context of 3308 3012 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 30 PID 3540 set thread context of 2956 3540 micoffice.exe 35 PID 3540 set thread context of 3296 3540 micoffice.exe 36 -
resource yara_rule behavioral1/memory/3308-443-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2956-1014-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3308-1036-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2956-1043-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language micoffice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language micoffice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language micoffice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3296 micoffice.exe Token: SeSecurityPrivilege 3296 micoffice.exe Token: SeTakeOwnershipPrivilege 3296 micoffice.exe Token: SeLoadDriverPrivilege 3296 micoffice.exe Token: SeSystemProfilePrivilege 3296 micoffice.exe Token: SeSystemtimePrivilege 3296 micoffice.exe Token: SeProfSingleProcessPrivilege 3296 micoffice.exe Token: SeIncBasePriorityPrivilege 3296 micoffice.exe Token: SeCreatePagefilePrivilege 3296 micoffice.exe Token: SeBackupPrivilege 3296 micoffice.exe Token: SeRestorePrivilege 3296 micoffice.exe Token: SeShutdownPrivilege 3296 micoffice.exe Token: SeDebugPrivilege 3296 micoffice.exe Token: SeSystemEnvironmentPrivilege 3296 micoffice.exe Token: SeChangeNotifyPrivilege 3296 micoffice.exe Token: SeRemoteShutdownPrivilege 3296 micoffice.exe Token: SeUndockPrivilege 3296 micoffice.exe Token: SeManageVolumePrivilege 3296 micoffice.exe Token: SeImpersonatePrivilege 3296 micoffice.exe Token: SeCreateGlobalPrivilege 3296 micoffice.exe Token: 33 3296 micoffice.exe Token: 34 3296 micoffice.exe Token: 35 3296 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe Token: SeDebugPrivilege 2956 micoffice.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3012 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 3308 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 3540 micoffice.exe 2956 micoffice.exe 3296 micoffice.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 3012 wrote to memory of 3308 3012 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 30 PID 3012 wrote to memory of 3308 3012 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 30 PID 3012 wrote to memory of 3308 3012 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 30 PID 3012 wrote to memory of 3308 3012 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 30 PID 3012 wrote to memory of 3308 3012 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 30 PID 3012 wrote to memory of 3308 3012 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 30 PID 3012 wrote to memory of 3308 3012 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 30 PID 3012 wrote to memory of 3308 3012 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 30 PID 3308 wrote to memory of 3464 3308 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 31 PID 3308 wrote to memory of 3464 3308 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 31 PID 3308 wrote to memory of 3464 3308 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 31 PID 3308 wrote to memory of 3464 3308 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 31 PID 3464 wrote to memory of 3516 3464 cmd.exe 33 PID 3464 wrote to memory of 3516 3464 cmd.exe 33 PID 3464 wrote to memory of 3516 3464 cmd.exe 33 PID 3464 wrote to memory of 3516 3464 cmd.exe 33 PID 3308 wrote to memory of 3540 3308 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 34 PID 3308 wrote to memory of 3540 3308 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 34 PID 3308 wrote to memory of 3540 3308 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 34 PID 3308 wrote to memory of 3540 3308 JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe 34 PID 3540 wrote to memory of 2956 3540 micoffice.exe 35 PID 3540 wrote to memory of 2956 3540 micoffice.exe 35 PID 3540 wrote to memory of 2956 3540 micoffice.exe 35 PID 3540 wrote to memory of 2956 3540 micoffice.exe 35 PID 3540 wrote to memory of 2956 3540 micoffice.exe 35 PID 3540 wrote to memory of 2956 3540 micoffice.exe 35 PID 3540 wrote to memory of 2956 3540 micoffice.exe 35 PID 3540 wrote to memory of 2956 3540 micoffice.exe 35 PID 3540 wrote to memory of 3296 3540 micoffice.exe 36 PID 3540 wrote to memory of 3296 3540 micoffice.exe 36 PID 3540 wrote to memory of 3296 3540 micoffice.exe 36 PID 3540 wrote to memory of 3296 3540 micoffice.exe 36 PID 3540 wrote to memory of 3296 3540 micoffice.exe 36 PID 3540 wrote to memory of 3296 3540 micoffice.exe 36 PID 3540 wrote to memory of 3296 3540 micoffice.exe 36 PID 3540 wrote to memory of 3296 3540 micoffice.exe 36 PID 3540 wrote to memory of 3296 3540 micoffice.exe 36 PID 3540 wrote to memory of 3296 3540 micoffice.exe 36 PID 3540 wrote to memory of 3296 3540 micoffice.exe 36 PID 3540 wrote to memory of 3296 3540 micoffice.exe 36 PID 3540 wrote to memory of 3296 3540 micoffice.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63512ecc60dd21d0333b2dc7003f48a0.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\SDBGY.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "msoffice" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3516
-
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3296
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155B
MD5f07b93136766adced3c6f0d74d869da0
SHA1787c530f33687d758b41295e01d7a9a1bba3a467
SHA256cd603067047c028fe12d4b099d13b3681dd698d25bc32474184e9d8edd3ed701
SHA512050105a5f14939a37f653421b24959cc90cb082b20df5bb1a81335fd0ad5e70c740b43f1d6df0fc7324551425894668acc3af0c533c7d90ff149d84e844c2d10
-
Filesize
952KB
MD55bb3b66ffe96abedd50b4e349ff3c9d4
SHA195bbd149a82dfd63cf363b141b95be9e3e3a1d01
SHA2560f2b79cdb75a6954b45f3b804e1947153fbbd2852aa86cd10f1f9de6e2a80371
SHA5127cc78dc3f46edaa08ba4262f5e9063861e37f6965abeafb646c1fcc20d352fe42072215de972288fdff2114dc540f51cd3a361e965a63552c72e25870cfde1c7