Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 15:09
Behavioral task
behavioral1
Sample
e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe
-
Size
188KB
-
MD5
e2cfc6f8656c2ab1934d32cfab708c04
-
SHA1
2e68f708e31fdf7dac196c20accc6f51f1ff652f
-
SHA256
4037c6cbfedecaeab0b515c75aa8496d49020adefbd4dc10e0db2b9f69ce3e49
-
SHA512
7521a8e4a4a7d67cefe398d8c6632e5cbf0cb2968ec22583544d7d3a185772ccc466e2fa7e50af21bc29958b579ae166224a24236fc6d67571ac454d8f490855
-
SSDEEP
3072:DQbz3nYOihhTLZgVk4KPe7TAP8sdM57wgBbDNlP4mttAa8sOOCmM+R:DGYNhhvKqRWTsBdM7bBb3AKAQO8H
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral1/files/0x000e000000012267-7.dat family_gh0strat behavioral1/memory/2552-9-0x0000000010000000-0x0000000010023000-memory.dmp family_gh0strat behavioral1/memory/2552-11-0x0000000010000000-0x0000000010023000-memory.dmp family_gh0strat behavioral1/memory/2552-14-0x0000000010000000-0x0000000010023000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
pid Process 2552 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2552 svchost.exe -
resource yara_rule behavioral1/memory/2188-1-0x0000000000400000-0x0000000000456000-memory.dmp vmprotect behavioral1/memory/2188-6-0x0000000000400000-0x0000000000456000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\feryruashw svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\bj[1].htm svchost.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created \??\c:\progra~2\google\feryrua.txt svchost.exe File created \??\c:\progra~2\google\pyvho.hhn svchost.exe File opened for modification \??\c:\progra~2\google\pyvho.hhn svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Modifies data under HKEY_USERS 30 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FFD8D17E-3F21-4909-8BAF-888BCDED36F4}\4e-09-35-a1-05-18 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FFD8D17E-3F21-4909-8BAF-888BCDED36F4}\WpadDecisionTime = 00a314693488da01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f005d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FFD8D17E-3F21-4909-8BAF-888BCDED36F4}\WpadDecisionReason = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-09-35-a1-05-18\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-09-35-a1-05-18\WpadDecisionTime = 00a314693488da01 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FFD8D17E-3F21-4909-8BAF-888BCDED36F4} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FFD8D17E-3F21-4909-8BAF-888BCDED36F4}\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-09-35-a1-05-18 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FFD8D17E-3F21-4909-8BAF-888BCDED36F4}\WpadNetworkName = "Network 3" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-09-35-a1-05-18\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe 2552 svchost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeBackupPrivilege 2188 e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe Token: SeRestorePrivilege 2188 e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe Token: SeBackupPrivilege 2552 svchost.exe Token: SeRestorePrivilege 2552 svchost.exe Token: SeBackupPrivilege 2552 svchost.exe Token: SeBackupPrivilege 2552 svchost.exe Token: SeRestorePrivilege 2552 svchost.exe Token: SeBackupPrivilege 2552 svchost.exe Token: SeSecurityPrivilege 2552 svchost.exe Token: SeSecurityPrivilege 2552 svchost.exe Token: SeBackupPrivilege 2552 svchost.exe Token: SeBackupPrivilege 2552 svchost.exe Token: SeSecurityPrivilege 2552 svchost.exe Token: SeBackupPrivilege 2552 svchost.exe Token: SeBackupPrivilege 2552 svchost.exe Token: SeSecurityPrivilege 2552 svchost.exe Token: SeBackupPrivilege 2552 svchost.exe Token: SeRestorePrivilege 2552 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k regsvc1⤵PID:3004
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD56185bec84eb42db063d6799fd20bcdf7
SHA1432dbce215a722d2646518590caff68ea43a983c
SHA2560460c23b2fa0bf3dbf7630b2ca6616b7e6e23577446e726fbdd0a7d7fa766476
SHA51207641b4ba17a67ecfe4214f0e35b7cf3f632f8c5d9c7888e590531a2bfcfc3d4e492d251dcd5a5f1a5bac0996a9fde3d0fc0b62d75c90ee5ad40d5a4be3be6f1