Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/01/2025, 12:01
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe
-
Size
715KB
-
MD5
64eff4f0e19acf9ccf8cdd9d672af690
-
SHA1
617bc8febea4370ec4b7123191b275fb01c3ea57
-
SHA256
32cd6293bb07914f054fc76511c60a647fb1ccfdd6e1dddcc1a68a2a842a9c3a
-
SHA512
43f67518e9f1adc7c1923f5ce99722b62f4118d35705ee740a14b97e4d782332e3154fb0fd61e7b9659d92840bad5941a204c72fa3e2512b7711f5ee6131a174
-
SSDEEP
12288:tRnfZLsRTMgxjVlbOihYaamOqGPfw0C5dqsUu5eR57qVe3s:ffNIT1lbxhYXmGVqlP4ye3s
Malware Config
Extracted
darkcomet
New
zw4lcfe.no-ip.biz:36050
DC_MUTEX-G4MYDUH
-
gencode
UAAq4f17b6ky
-
install
false
-
offline_keylogger
true
-
password
-RandomPassword0000-
-
persistence
false
Signatures
-
Darkcomet family
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svhst.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" svhst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile svhst.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" svhst.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svhst.exe -
Executes dropped EXE 1 IoCs
pid Process 2732 svhst.exe -
Loads dropped DLL 6 IoCs
pid Process 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe -
Uses the VBS compiler for execution 1 TTPs
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svhst.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\WinUpdate.exe" JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1836 set thread context of 2732 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svhst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe Token: SeIncreaseQuotaPrivilege 2732 svhst.exe Token: SeSecurityPrivilege 2732 svhst.exe Token: SeTakeOwnershipPrivilege 2732 svhst.exe Token: SeLoadDriverPrivilege 2732 svhst.exe Token: SeSystemProfilePrivilege 2732 svhst.exe Token: SeSystemtimePrivilege 2732 svhst.exe Token: SeProfSingleProcessPrivilege 2732 svhst.exe Token: SeIncBasePriorityPrivilege 2732 svhst.exe Token: SeCreatePagefilePrivilege 2732 svhst.exe Token: SeBackupPrivilege 2732 svhst.exe Token: SeRestorePrivilege 2732 svhst.exe Token: SeShutdownPrivilege 2732 svhst.exe Token: SeDebugPrivilege 2732 svhst.exe Token: SeSystemEnvironmentPrivilege 2732 svhst.exe Token: SeChangeNotifyPrivilege 2732 svhst.exe Token: SeRemoteShutdownPrivilege 2732 svhst.exe Token: SeUndockPrivilege 2732 svhst.exe Token: SeManageVolumePrivilege 2732 svhst.exe Token: SeImpersonatePrivilege 2732 svhst.exe Token: SeCreateGlobalPrivilege 2732 svhst.exe Token: 33 2732 svhst.exe Token: 34 2732 svhst.exe Token: 35 2732 svhst.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2732 svhst.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1836 wrote to memory of 2076 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 30 PID 1836 wrote to memory of 2076 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 30 PID 1836 wrote to memory of 2076 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 30 PID 1836 wrote to memory of 2076 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 30 PID 2076 wrote to memory of 2064 2076 vbc.exe 32 PID 2076 wrote to memory of 2064 2076 vbc.exe 32 PID 2076 wrote to memory of 2064 2076 vbc.exe 32 PID 2076 wrote to memory of 2064 2076 vbc.exe 32 PID 1836 wrote to memory of 2732 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 35 PID 1836 wrote to memory of 2732 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 35 PID 1836 wrote to memory of 2732 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 35 PID 1836 wrote to memory of 2732 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 35 PID 1836 wrote to memory of 2732 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 35 PID 1836 wrote to memory of 2732 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 35 PID 1836 wrote to memory of 2732 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 35 PID 1836 wrote to memory of 2732 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 35 PID 1836 wrote to memory of 2732 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 35 PID 1836 wrote to memory of 2732 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 35 PID 1836 wrote to memory of 2732 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 35 PID 1836 wrote to memory of 2732 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 35 PID 1836 wrote to memory of 2732 1836 JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe 35 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion svhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern svhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" svhst.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64eff4f0e19acf9ccf8cdd9d672af690.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1upyx2mg.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7B3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7B2.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2064
-
-
-
C:\Users\Admin\AppData\Local\Temp\AppLaunch\svhst.exeC:\Users\Admin\AppData\Local\Temp\\AppLaunch\svhst.exe2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2732
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD573063624452d1f57340417b1db497881
SHA1106cf3f4d0615feee26587652b52292177f9a516
SHA256fffb0516398c7283d0ce4c614c84bad3b5730771b323928dbc66171090f92bc7
SHA51247fe84fa9df2c8ee2b6057f596afff7b80d6f31902f82944b9e984658d15e8028d260d58830a1c14555008d48a67d695e7aaf555834a52827ac15c3a559c8d3d
-
Filesize
168B
MD5ce0c414801ccc83f58f6913440cc3477
SHA1e9c14bebffaa2af5ef676aa96621fb720d7353f7
SHA256d59207452bfa9fb27998f7cabb2f5172609f516a98b8a1f40473f8ec2fe838f3
SHA51279dd6f24bd4b15a753c95cee9e2f6cebfe58d65fb80b8cee768b6170dc76999eaecc8262d9a1c96c876a3b0e00d73b08f7d1cb477223549a49fd4088aa9d42f3
-
Filesize
7KB
MD56cfa3f2f4e7ad0f9454db1c3345a53c7
SHA17312161f3d12a353368db577afc3ddcba3574f78
SHA2562d5c09dfde5c406fbc27e4d3d8ff0d08687207464aa5a86bcc57c13e00d23bfb
SHA512ea512df39d3ebbd2545d344103d78487c04dd23bfeff9fe20fbe9cacf5de3c120aaeba2ba49712169ac9b1ed5bc9d90c7334a1f46120ee899c5179ba5b27a7ee
-
Filesize
1KB
MD5dcec0d244a63b14222c7233b00dddb6b
SHA14dd1e8458df0ba9e20e7a4fde2b234e315a595c0
SHA2568f1eac14a349078cd3f9118b0059bda17543a105fd2cde431812fd0f4a8bfb96
SHA5128cfea2f17b47b7643b10b7ee32ef6f2f4261ad9d93e0c8e2edd08f9d9bb06036d154a4d040a1714e251e1c58fa60b4b327fc12ebda902226ad4b1118f9422648
-
Filesize
652B
MD5e7adaa8e6259131a01de792aa2f1cf66
SHA1e8b3a7bdf797ddca7fa7c401334ba6a0a94ec8ec
SHA256a3242e151765d0d9f5a9ec7b90753b399b8ef206816ab8f0d4500ef827da5add
SHA512a4ab362c27e218769dfec0dcc1960a852817e6ae2322253e1e59998f8a8c40eb2778a0917c97ad96a7fe5e77ceb89209e3b86562708b8894934415b159e95f5f
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98