Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04/01/2025, 18:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe
Resource
win7-20240729-en
General
-
Target
JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe
-
Size
797KB
-
MD5
7b2c058c92c0bfcdc36f6eb6bcd0f66b
-
SHA1
c7eb1f8c37df44d4f5560f1734dafdd12ed6477e
-
SHA256
776d7d11b5d27b5b3a713f3839fd7128e05fa6a9134fa2fed9b2928e59852322
-
SHA512
328816178c32125b73c01d03bd9670ae703e3a35c11c53e0ebbe43a9739b14ba2e77fa26be0cf215add3e2766035342253d668cb5b3f3012a172c18e60e8bec4
-
SSDEEP
12288:QQLcijICEZ+6vFkqeXGvyxngsm/CEUCR264lGYxtFYB6dsqvPMySJR2SePaG1vhW:ZcfZxFTKn8/+CR26gGYxUYFvPMygGBW
Malware Config
Extracted
darkcomet
Guest16
imdaco.no-ip.org:1604
DC_MUTEX-L9KM9Y7
-
InstallPath
MSDCS\Rundll32.exe
-
gencode
LJp33LCadVtB
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Rundll32
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCS\\Rundll32.exe" csc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2632 attrib.exe 580 attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 1580 Rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 2804 csc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\MSDCS\\Rundll32.exe" csc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2720 set thread context of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2804 csc.exe Token: SeSecurityPrivilege 2804 csc.exe Token: SeTakeOwnershipPrivilege 2804 csc.exe Token: SeLoadDriverPrivilege 2804 csc.exe Token: SeSystemProfilePrivilege 2804 csc.exe Token: SeSystemtimePrivilege 2804 csc.exe Token: SeProfSingleProcessPrivilege 2804 csc.exe Token: SeIncBasePriorityPrivilege 2804 csc.exe Token: SeCreatePagefilePrivilege 2804 csc.exe Token: SeBackupPrivilege 2804 csc.exe Token: SeRestorePrivilege 2804 csc.exe Token: SeShutdownPrivilege 2804 csc.exe Token: SeDebugPrivilege 2804 csc.exe Token: SeSystemEnvironmentPrivilege 2804 csc.exe Token: SeChangeNotifyPrivilege 2804 csc.exe Token: SeRemoteShutdownPrivilege 2804 csc.exe Token: SeUndockPrivilege 2804 csc.exe Token: SeManageVolumePrivilege 2804 csc.exe Token: SeImpersonatePrivilege 2804 csc.exe Token: SeCreateGlobalPrivilege 2804 csc.exe Token: 33 2804 csc.exe Token: 34 2804 csc.exe Token: 35 2804 csc.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2720 wrote to memory of 2804 2720 JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe 30 PID 2804 wrote to memory of 2880 2804 csc.exe 31 PID 2804 wrote to memory of 2880 2804 csc.exe 31 PID 2804 wrote to memory of 2880 2804 csc.exe 31 PID 2804 wrote to memory of 2880 2804 csc.exe 31 PID 2804 wrote to memory of 2596 2804 csc.exe 32 PID 2804 wrote to memory of 2596 2804 csc.exe 32 PID 2804 wrote to memory of 2596 2804 csc.exe 32 PID 2804 wrote to memory of 2596 2804 csc.exe 32 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2804 wrote to memory of 2740 2804 csc.exe 34 PID 2880 wrote to memory of 2632 2880 cmd.exe 36 PID 2880 wrote to memory of 2632 2880 cmd.exe 36 PID 2880 wrote to memory of 2632 2880 cmd.exe 36 PID 2880 wrote to memory of 2632 2880 cmd.exe 36 PID 2596 wrote to memory of 580 2596 cmd.exe 37 PID 2596 wrote to memory of 580 2596 cmd.exe 37 PID 2596 wrote to memory of 580 2596 cmd.exe 37 PID 2596 wrote to memory of 580 2596 cmd.exe 37 PID 2804 wrote to memory of 1580 2804 csc.exe 38 PID 2804 wrote to memory of 1580 2804 csc.exe 38 PID 2804 wrote to memory of 1580 2804 csc.exe 38 PID 2804 wrote to memory of 1580 2804 csc.exe 38 PID 2804 wrote to memory of 1580 2804 csc.exe 38 PID 2804 wrote to memory of 1580 2804 csc.exe 38 PID 2804 wrote to memory of 1580 2804 csc.exe 38 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2632 attrib.exe 580 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b2c058c92c0bfcdc36f6eb6bcd0f66b.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2632
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:580
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:2740
-
-
C:\MSDCS\Rundll32.exe"C:\MSDCS\Rundll32.exe"3⤵
- Executes dropped EXE
PID:1580
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD53d7d2e825c63ff501e896cf008c70d75
SHA124e1e56df2c1e85b224b4360235513e79f03d3fc
SHA256037fc52b8fc6089338eb456f2b45638ed36c42a4dca7ace391d166b2329838a1
SHA51257d06b2226221162e0b54eeea3de13af6386bd632d16f6ec0666da81e8e177157a778caf0e3df0fe6368ea0b0fd93dae92cbe3cbb8c484f9e1107ba371301f21