Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 15:09
Behavioral task
behavioral1
Sample
e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe
-
Size
188KB
-
MD5
e2cfc6f8656c2ab1934d32cfab708c04
-
SHA1
2e68f708e31fdf7dac196c20accc6f51f1ff652f
-
SHA256
4037c6cbfedecaeab0b515c75aa8496d49020adefbd4dc10e0db2b9f69ce3e49
-
SHA512
7521a8e4a4a7d67cefe398d8c6632e5cbf0cb2968ec22583544d7d3a185772ccc466e2fa7e50af21bc29958b579ae166224a24236fc6d67571ac454d8f490855
-
SSDEEP
3072:DQbz3nYOihhTLZgVk4KPe7TAP8sdM57wgBbDNlP4mttAa8sOOCmM+R:DGYNhhvKqRWTsBdM7bBb3AKAQO8H
Malware Config
Signatures
-
Gh0st RAT payload 6 IoCs
resource yara_rule behavioral2/files/0x000c00000002311f-6.dat family_gh0strat behavioral2/files/0x000c00000002311f-7.dat family_gh0strat behavioral2/memory/944-11-0x0000000010000000-0x0000000010023000-memory.dmp family_gh0strat behavioral2/memory/944-13-0x0000000010000000-0x0000000010023000-memory.dmp family_gh0strat behavioral2/memory/944-16-0x00000000762D0000-0x00000000763C0000-memory.dmp family_gh0strat behavioral2/memory/944-17-0x0000000010000000-0x0000000010023000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
pid Process 944 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 944 svchost.exe -
resource yara_rule behavioral2/memory/3672-0-0x0000000000400000-0x0000000000456000-memory.dmp vmprotect behavioral2/memory/3672-1-0x0000000000400000-0x0000000000456000-memory.dmp vmprotect behavioral2/memory/3672-8-0x0000000000400000-0x0000000000456000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\bj[1].htm svchost.exe File created C:\Windows\SysWOW64\fnombovxhg svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created \??\c:\progra~2\google\fnombov.txt svchost.exe File opened for modification \??\c:\progra~2\google\vqesw.cku svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Modifies data under HKEY_USERS 13 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeBackupPrivilege 3672 e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe Token: SeRestorePrivilege 3672 e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe Token: SeBackupPrivilege 944 svchost.exe Token: SeRestorePrivilege 944 svchost.exe Token: SeBackupPrivilege 944 svchost.exe Token: SeBackupPrivilege 944 svchost.exe Token: SeSecurityPrivilege 944 svchost.exe Token: SeBackupPrivilege 944 svchost.exe Token: SeRestorePrivilege 944 svchost.exe Token: SeSecurityPrivilege 944 svchost.exe Token: SeBackupPrivilege 944 svchost.exe Token: SeBackupPrivilege 944 svchost.exe Token: SeSecurityPrivilege 944 svchost.exe Token: SeBackupPrivilege 944 svchost.exe Token: SeBackupPrivilege 944 svchost.exe Token: SeSecurityPrivilege 944 svchost.exe Token: SeBackupPrivilege 944 svchost.exe Token: SeRestorePrivilege 944 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry1⤵PID:4616
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Deletes itself
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
625KB
MD523d612069c62b76693f2f3446ca04b0b
SHA168c3780a10217152c9ff72bdd00622e461c12636
SHA256116a20953ae5cbed1430ba4d326bd2cfdf181e584286c57c926f6e778e8ebb82
SHA5122efcb10d2b852b75b9866470734ba799e4c6e9261e97ae7cdb2713ed7946164c6ce72309dc828ec1ed577abe0c2a1c64d53414abfa2766a499d7189553ce0fd8
-
Filesize
625KB
MD51b62be970f530827f228bfe80cd0c59c
SHA14eefaa3548b977446cab54738525fdf19c0b445c
SHA25667cbfeaae9b958a45347248d4a7975e1bb217023509d511f83a21f94f5fa3370
SHA51276031049024fb4dfcbee53224bcd6e1aca9b904d63dd62b3725870c869ce46510b85d03a981d1cab839232f60a5c329f408cad520e5b2c2c9b975e2aefd279e7