Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/01/2025, 18:33
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe
-
Size
695KB
-
MD5
67487fcba24f39352821477dd0928a3b
-
SHA1
0b66d88fab7aef3455e7695d9b469537a309bba8
-
SHA256
86762e0fd9c84a4c7d7f97a08de496a90cdd77df0122da1746883a2d3956b08d
-
SHA512
61e0c41b01d9eb82f871921718493a1f51cd5ae81ae6b62f684a9a5630a5b3091dbb92f1c2719e967191a29ad407cccfcfc309580e1b496a8b5428a89f37d898
-
SSDEEP
12288:3XAEwZ6ia5mWiOhGhpaZY+vQhZFaaolSXyOTrT6g3J7CDYhtEb:1nia48hGhpypvSFylSXyKT/IYsb
Malware Config
Signatures
-
Darkcomet family
-
Executes dropped EXE 1 IoCs
pid Process 1592 yo.jpg.exe -
Loads dropped DLL 4 IoCs
pid Process 2136 JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe 2136 JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe 2136 JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe 2136 JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yo.jpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: 33 2136 JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe Token: SeIncBasePriorityPrivilege 2136 JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe Token: 33 2136 JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe Token: SeIncBasePriorityPrivilege 2136 JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe Token: 33 2136 JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe Token: SeIncBasePriorityPrivilege 2136 JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe Token: SeIncreaseQuotaPrivilege 1592 yo.jpg.exe Token: SeSecurityPrivilege 1592 yo.jpg.exe Token: SeTakeOwnershipPrivilege 1592 yo.jpg.exe Token: SeLoadDriverPrivilege 1592 yo.jpg.exe Token: SeSystemProfilePrivilege 1592 yo.jpg.exe Token: SeSystemtimePrivilege 1592 yo.jpg.exe Token: SeProfSingleProcessPrivilege 1592 yo.jpg.exe Token: SeIncBasePriorityPrivilege 1592 yo.jpg.exe Token: SeCreatePagefilePrivilege 1592 yo.jpg.exe Token: SeBackupPrivilege 1592 yo.jpg.exe Token: SeRestorePrivilege 1592 yo.jpg.exe Token: SeShutdownPrivilege 1592 yo.jpg.exe Token: SeDebugPrivilege 1592 yo.jpg.exe Token: SeSystemEnvironmentPrivilege 1592 yo.jpg.exe Token: SeChangeNotifyPrivilege 1592 yo.jpg.exe Token: SeRemoteShutdownPrivilege 1592 yo.jpg.exe Token: SeUndockPrivilege 1592 yo.jpg.exe Token: SeManageVolumePrivilege 1592 yo.jpg.exe Token: SeImpersonatePrivilege 1592 yo.jpg.exe Token: SeCreateGlobalPrivilege 1592 yo.jpg.exe Token: 33 1592 yo.jpg.exe Token: 34 1592 yo.jpg.exe Token: 35 1592 yo.jpg.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1996 DllHost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1592 yo.jpg.exe 1996 DllHost.exe 1996 DllHost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2136 wrote to memory of 1592 2136 JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe 30 PID 2136 wrote to memory of 1592 2136 JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe 30 PID 2136 wrote to memory of 1592 2136 JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe 30 PID 2136 wrote to memory of 1592 2136 JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_67487fcba24f39352821477dd0928a3b.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\la mas wapa\1.0.0.0\2012.03.27T17.15\Virtual\STUBEXE\@DESKTOP@\yo.jpg.exe"C:\Users\Admin\Desktop\yo.jpg.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1592
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5150ba2fee08ea1359b03a038f5ba7b5b
SHA1a9bea1d06b55b0b6739a59cf8dd194f873cdf4de
SHA25603d2494bf033255f33a0944cec7e183a05bce396a4a70ecf40cc0feeee09f09e
SHA51258e5644634c656d2ba821ff19f9260f4744db8d47e8e45829a2e08cfb6cf512b581260cf517dcadb04b834d4f2414b82e289e2201a4ceb2919c88c4b306912fb
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\la mas wapa\1.0.0.0\2012.03.27T17.15\Virtual\MODIFIED\@DESKTOP@\yo.jpg.exe
Filesize678KB
MD5f314298b8d1d1625cf996ffb3a099be9
SHA19cf7d5f9f7180467f2f7ec7f3d3bbe84abe42bec
SHA25615aba10d98fb3e095f91b3639b92c249a07db15196c2a78f2fbded351551c097
SHA51201fc47cdca11f8f1d1fbeda5ff92f37266e1519a6a8b048d7979c4d9a6879856c89987e4595f0a3764ed59636a09a4e8a1f4de752b3905904932db6fca523ca8
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\la mas wapa\1.0.0.0\2012.03.27T17.15\Virtual\STUBEXE\@DESKTOP@\yo.jpg.exe
Filesize17KB
MD5d745f91c57f0044ef93bc7141b66b280
SHA1344d3b4e00193a9197029996b4a69fb4dcd46d4f
SHA256906175f44e34e09c85495a3135f60e3e50d1623fab65be9d003298881ecd115b
SHA5124e86f15ba5e637698df740add3df878de31e8bf37c2b5013031f858514ffce9a7ddbcf3224007a0d3d42140a29eb3e762d398a6b4e99307f089f5c0ce6dfd7d3