Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/01/2025, 02:59
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe
-
Size
952KB
-
MD5
69d22f16921aa332e713bd5a024b1c80
-
SHA1
4b11df5107ec6e113e92d569412c3b51dba4b53b
-
SHA256
b995936f557d4947a2c98abc6231ac77c950a358fed5975c40097fd3d88764d0
-
SHA512
15779137bef9ecc5387d1e946267a4e8d754185847f56ea7e61e6cd1bed36a6b7c21d59e59d82271a65026a5907ad3f3a463fa84375cc4f3cd9a91396e89b7b6
-
SSDEEP
12288:byyy7Z3z4I8NXOGjwwG/ZjXsAHHz79p9NM5Tz103j2CF4TxQUOfhVPOSAE//VAci:baCI2OewFJN4mkxyHnnew1SatLRzD
Malware Config
Signatures
-
Darkcomet family
-
Executes dropped EXE 3 IoCs
pid Process 3524 micoffice.exe 1564 micoffice.exe 3272 micoffice.exe -
Loads dropped DLL 7 IoCs
pid Process 3292 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 3292 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 3292 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 3292 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 3292 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 3524 micoffice.exe 3524 micoffice.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\msoffice = "C:\\Users\\Admin\\AppData\\Roaming\\MicrosoftOffice\\micoffice.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2516 set thread context of 3292 2516 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 30 PID 3524 set thread context of 1564 3524 micoffice.exe 35 PID 3524 set thread context of 3272 3524 micoffice.exe 36 -
resource yara_rule behavioral1/memory/3292-445-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1564-883-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/3292-1038-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1564-1044-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language micoffice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language micoffice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language micoffice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3272 micoffice.exe Token: SeSecurityPrivilege 3272 micoffice.exe Token: SeTakeOwnershipPrivilege 3272 micoffice.exe Token: SeLoadDriverPrivilege 3272 micoffice.exe Token: SeSystemProfilePrivilege 3272 micoffice.exe Token: SeSystemtimePrivilege 3272 micoffice.exe Token: SeProfSingleProcessPrivilege 3272 micoffice.exe Token: SeIncBasePriorityPrivilege 3272 micoffice.exe Token: SeCreatePagefilePrivilege 3272 micoffice.exe Token: SeBackupPrivilege 3272 micoffice.exe Token: SeRestorePrivilege 3272 micoffice.exe Token: SeShutdownPrivilege 3272 micoffice.exe Token: SeDebugPrivilege 3272 micoffice.exe Token: SeSystemEnvironmentPrivilege 3272 micoffice.exe Token: SeChangeNotifyPrivilege 3272 micoffice.exe Token: SeRemoteShutdownPrivilege 3272 micoffice.exe Token: SeUndockPrivilege 3272 micoffice.exe Token: SeManageVolumePrivilege 3272 micoffice.exe Token: SeImpersonatePrivilege 3272 micoffice.exe Token: SeCreateGlobalPrivilege 3272 micoffice.exe Token: 33 3272 micoffice.exe Token: 34 3272 micoffice.exe Token: 35 3272 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe Token: SeDebugPrivilege 1564 micoffice.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2516 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 3292 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 3524 micoffice.exe 1564 micoffice.exe 3272 micoffice.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2516 wrote to memory of 3292 2516 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 30 PID 2516 wrote to memory of 3292 2516 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 30 PID 2516 wrote to memory of 3292 2516 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 30 PID 2516 wrote to memory of 3292 2516 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 30 PID 2516 wrote to memory of 3292 2516 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 30 PID 2516 wrote to memory of 3292 2516 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 30 PID 2516 wrote to memory of 3292 2516 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 30 PID 2516 wrote to memory of 3292 2516 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 30 PID 3292 wrote to memory of 3448 3292 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 31 PID 3292 wrote to memory of 3448 3292 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 31 PID 3292 wrote to memory of 3448 3292 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 31 PID 3292 wrote to memory of 3448 3292 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 31 PID 3448 wrote to memory of 3500 3448 cmd.exe 33 PID 3448 wrote to memory of 3500 3448 cmd.exe 33 PID 3448 wrote to memory of 3500 3448 cmd.exe 33 PID 3448 wrote to memory of 3500 3448 cmd.exe 33 PID 3292 wrote to memory of 3524 3292 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 34 PID 3292 wrote to memory of 3524 3292 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 34 PID 3292 wrote to memory of 3524 3292 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 34 PID 3292 wrote to memory of 3524 3292 JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe 34 PID 3524 wrote to memory of 1564 3524 micoffice.exe 35 PID 3524 wrote to memory of 1564 3524 micoffice.exe 35 PID 3524 wrote to memory of 1564 3524 micoffice.exe 35 PID 3524 wrote to memory of 1564 3524 micoffice.exe 35 PID 3524 wrote to memory of 1564 3524 micoffice.exe 35 PID 3524 wrote to memory of 1564 3524 micoffice.exe 35 PID 3524 wrote to memory of 1564 3524 micoffice.exe 35 PID 3524 wrote to memory of 1564 3524 micoffice.exe 35 PID 3524 wrote to memory of 3272 3524 micoffice.exe 36 PID 3524 wrote to memory of 3272 3524 micoffice.exe 36 PID 3524 wrote to memory of 3272 3524 micoffice.exe 36 PID 3524 wrote to memory of 3272 3524 micoffice.exe 36 PID 3524 wrote to memory of 3272 3524 micoffice.exe 36 PID 3524 wrote to memory of 3272 3524 micoffice.exe 36 PID 3524 wrote to memory of 3272 3524 micoffice.exe 36 PID 3524 wrote to memory of 3272 3524 micoffice.exe 36 PID 3524 wrote to memory of 3272 3524 micoffice.exe 36 PID 3524 wrote to memory of 3272 3524 micoffice.exe 36 PID 3524 wrote to memory of 3272 3524 micoffice.exe 36 PID 3524 wrote to memory of 3272 3524 micoffice.exe 36 PID 3524 wrote to memory of 3272 3524 micoffice.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69d22f16921aa332e713bd5a024b1c80.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\HIFOA.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "msoffice" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3500
-
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1564
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"C:\Users\Admin\AppData\Roaming\MicrosoftOffice\micoffice.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3272
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155B
MD5f07b93136766adced3c6f0d74d869da0
SHA1787c530f33687d758b41295e01d7a9a1bba3a467
SHA256cd603067047c028fe12d4b099d13b3681dd698d25bc32474184e9d8edd3ed701
SHA512050105a5f14939a37f653421b24959cc90cb082b20df5bb1a81335fd0ad5e70c740b43f1d6df0fc7324551425894668acc3af0c533c7d90ff149d84e844c2d10
-
Filesize
952KB
MD58480f1af7a1765c763b6ce2f7ee4367b
SHA1cf4d550159f7024d0eb43148fe5b1579f4fc8253
SHA256d25f8b026f651ef623592749291b23e23261721ce3ad3353151022c535fbf76b
SHA512894be8c23600773ee0977263b2bfc403405ec3ddc0fc9003a58c2f89099ffe6f56dab4f5ce69adb37ab2100131f0f7ba59a2eeb3af13c06fb8b2d3cb6144ca9e