Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
31/01/2025, 07:59
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
-
Size
2.4MB
-
MD5
68288c29d8546aadc301eda4436def32
-
SHA1
b2f25aa72549ab250213e20850aa3e5beab1928f
-
SHA256
a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325
-
SHA512
d6b17aea77d4df88af97cebc0ecc40ec5bdb4e79f3ed44378c47438216eb03082544375327a93551c92ebe9e8003814781194983d88c12c525c95104bfa0b369
-
SSDEEP
49152:gX5TvrVpRCDhBeEJl+KVR/PKaF42Nt3XET4LTE7j5CS:gXxvrZeeEJRHa24sE71p
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" HKCMB.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts HKCMB.exe -
Executes dropped EXE 2 IoCs
pid Process 2128 Transaction mangement.exe 2784 HKCMB.exe -
Loads dropped DLL 13 IoCs
pid Process 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 2128 Transaction mangement.exe 2128 Transaction mangement.exe 2128 Transaction mangement.exe 2128 Transaction mangement.exe 2784 HKCMB.exe 2784 HKCMB.exe 2240 WerFault.exe 2240 WerFault.exe 2240 WerFault.exe 2240 WerFault.exe 2240 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" HKCMB.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe HKCMB.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe HKCMB.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ HKCMB.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2128 set thread context of 2784 2128 Transaction mangement.exe 32 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe Transaction mangement.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe Transaction mangement.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2240 2784 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HKCMB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_68288c29d8546aadc301eda4436def32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Transaction mangement.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1716 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2784 HKCMB.exe Token: SeSecurityPrivilege 2784 HKCMB.exe Token: SeTakeOwnershipPrivilege 2784 HKCMB.exe Token: SeLoadDriverPrivilege 2784 HKCMB.exe Token: SeSystemProfilePrivilege 2784 HKCMB.exe Token: SeSystemtimePrivilege 2784 HKCMB.exe Token: SeProfSingleProcessPrivilege 2784 HKCMB.exe Token: SeIncBasePriorityPrivilege 2784 HKCMB.exe Token: SeCreatePagefilePrivilege 2784 HKCMB.exe Token: SeBackupPrivilege 2784 HKCMB.exe Token: SeRestorePrivilege 2784 HKCMB.exe Token: SeShutdownPrivilege 2784 HKCMB.exe Token: SeDebugPrivilege 2784 HKCMB.exe Token: SeSystemEnvironmentPrivilege 2784 HKCMB.exe Token: SeChangeNotifyPrivilege 2784 HKCMB.exe Token: SeRemoteShutdownPrivilege 2784 HKCMB.exe Token: SeUndockPrivilege 2784 HKCMB.exe Token: SeManageVolumePrivilege 2784 HKCMB.exe Token: SeImpersonatePrivilege 2784 HKCMB.exe Token: SeCreateGlobalPrivilege 2784 HKCMB.exe Token: 33 2784 HKCMB.exe Token: 34 2784 HKCMB.exe Token: 35 2784 HKCMB.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1716 AcroRd32.exe 1716 AcroRd32.exe 1716 AcroRd32.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2128 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 30 PID 1820 wrote to memory of 2128 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 30 PID 1820 wrote to memory of 2128 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 30 PID 1820 wrote to memory of 2128 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 30 PID 1820 wrote to memory of 2128 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 30 PID 1820 wrote to memory of 2128 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 30 PID 1820 wrote to memory of 2128 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 30 PID 1820 wrote to memory of 1716 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 31 PID 1820 wrote to memory of 1716 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 31 PID 1820 wrote to memory of 1716 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 31 PID 1820 wrote to memory of 1716 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 31 PID 1820 wrote to memory of 1716 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 31 PID 1820 wrote to memory of 1716 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 31 PID 1820 wrote to memory of 1716 1820 JaffaCakes118_68288c29d8546aadc301eda4436def32.exe 31 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2128 wrote to memory of 2784 2128 Transaction mangement.exe 32 PID 2784 wrote to memory of 2676 2784 HKCMB.exe 33 PID 2784 wrote to memory of 2676 2784 HKCMB.exe 33 PID 2784 wrote to memory of 2676 2784 HKCMB.exe 33 PID 2784 wrote to memory of 2676 2784 HKCMB.exe 33 PID 2784 wrote to memory of 2676 2784 HKCMB.exe 33 PID 2784 wrote to memory of 2676 2784 HKCMB.exe 33 PID 2784 wrote to memory of 2676 2784 HKCMB.exe 33 PID 2784 wrote to memory of 2240 2784 HKCMB.exe 35 PID 2784 wrote to memory of 2240 2784 HKCMB.exe 35 PID 2784 wrote to memory of 2240 2784 HKCMB.exe 35 PID 2784 wrote to memory of 2240 2784 HKCMB.exe 35 PID 2784 wrote to memory of 2240 2784 HKCMB.exe 35 PID 2784 wrote to memory of 2240 2784 HKCMB.exe 35 PID 2784 wrote to memory of 2240 2784 HKCMB.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68288c29d8546aadc301eda4436def32.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68288c29d8546aadc301eda4436def32.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 6244⤵
- Loads dropped DLL
- Program crash
PID:2240
-
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1716
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
194KB
MD58764991d86c925a5f8bbe847cd0f3cb3
SHA119e3f30d0baabc7c457fd61fecee8d1e8ab28d0e
SHA2565e75cc26bca0932a6685e42e07d32b9e55c3eb3a4b4af5e2b80f0a48a4116f79
SHA512f3f6f31f21935be78af1a792f45c481563a9653e624194588ff99e378cf7b0633fce7042e0b6dc01f04c14b4fa285964915e1b7ede8f29ae094b97cc15d11bdc
-
Filesize
72B
MD5fce1348da4bb9cf3e1d986ef6497fe8c
SHA17f6b3383bd7e34ab31e82e1423a63a7776f147cf
SHA256e6ab6964d84756b18c24e05d442ca43805260d167757edd856c3203e735c0733
SHA512984cca90975f2b29dc2400532006700d765d0216b6e9c515a369548aa8835e476d963f4d95cbb3e04401c9a9ac94657bf1de3cf99dc455f67c0c2c4ec4c659be
-
Filesize
3KB
MD59ca26a953524d1abfc9d14e27c485d54
SHA125a8f14424fb118c50965f35196d7cc19b9bdc00
SHA256d8b8d7cfbd3a6d72c1b7d656b073be62347489914ef9c3cc2dd60c0823d0b8b1
SHA512c9d51f931bf3123a2d971fa954ef05598e7bf428f394ba8589a725fc1e1bfb4f49c2f0a8baa12f2675f70288cfb52bbcb43d4eb6937feccd3dcaef7ddf9a13fd
-
Filesize
2.2MB
MD59a540f97fb137ff20426f30e8db62dc8
SHA11cd77f98dc2797cceb083e6b949261e2ea49fe4e
SHA256d19447e7601934db1ce2038f15ad1a57835df5330d1f8780941b127fbde7cc59
SHA512467bdac8408f6e1b66b7075f5b9ff09ba141782209d90ff6570187e41f52e38bfb0c1dfd08b8b5366f9a25257090cd28f187506b6d2e823afcde74539fe6ba0d
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98