Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31/05/2024, 00:02

General

  • Target

    855d803590b82b805357587c47c583f2_JaffaCakes118.exe

  • Size

    52KB

  • MD5

    855d803590b82b805357587c47c583f2

  • SHA1

    153458b9b7965f32a43b9d1fa87f84170599bd4a

  • SHA256

    fd3cae55558bda7cf4290d5e9187504ab1f34adf948801ebff7d3fcb69f9e28f

  • SHA512

    d009cff99535e5a8c79b013c4f0a073689f9bcad11a89a8e8110ca8afab88af947ac6c5c23078c04d1c85ef8b586657ce1bdf307da9e6cf4a51d0b11db59b536

  • SSDEEP

    768:YGEMazGKtp2fCpgQtHgRNIBgF2eXY1g8rUy138YbqbvYPZMi8FmbTdd+A:YOsppgQtHEI29o1g8z385bkZ/x+A

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    1⤵
      PID:388
    • C:\Windows\system32\wininit.exe
      wininit.exe
      1⤵
        PID:396
        • C:\Windows\system32\services.exe
          C:\Windows\system32\services.exe
          2⤵
            PID:480
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k DcomLaunch
              3⤵
                PID:604
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  4⤵
                    PID:2120
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k RPCSS
                  3⤵
                    PID:684
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                    3⤵
                      PID:752
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                      3⤵
                        PID:820
                        • C:\Windows\system32\Dwm.exe
                          "C:\Windows\system32\Dwm.exe"
                          4⤵
                            PID:1100
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs
                          3⤵
                            PID:864
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService
                            3⤵
                              PID:968
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k NetworkService
                              3⤵
                                PID:272
                              • C:\Windows\System32\spoolsv.exe
                                C:\Windows\System32\spoolsv.exe
                                3⤵
                                  PID:1052
                                • C:\Windows\system32\taskhost.exe
                                  "taskhost.exe"
                                  3⤵
                                    PID:1060
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                    3⤵
                                      PID:1136
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                      3⤵
                                        PID:2800
                                      • C:\Windows\system32\sppsvc.exe
                                        C:\Windows\system32\sppsvc.exe
                                        3⤵
                                          PID:2944
                                        • C:\Program Files (x86)\Microsoft Eekyym\Bjobome.exe
                                          "C:\Program Files (x86)\Microsoft Eekyym\Bjobome.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious behavior: MapViewOfSection
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2948
                                      • C:\Windows\system32\lsass.exe
                                        C:\Windows\system32\lsass.exe
                                        2⤵
                                          PID:496
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          2⤵
                                            PID:504
                                        • C:\Windows\system32\winlogon.exe
                                          winlogon.exe
                                          1⤵
                                            PID:424
                                          • C:\Windows\Explorer.EXE
                                            C:\Windows\Explorer.EXE
                                            1⤵
                                              PID:1180
                                              • C:\Users\Admin\AppData\Local\Temp\855d803590b82b805357587c47c583f2_JaffaCakes118.exe
                                                "C:\Users\Admin\AppData\Local\Temp\855d803590b82b805357587c47c583f2_JaffaCakes118.exe"
                                                2⤵
                                                • Loads dropped DLL
                                                • Drops file in System32 directory
                                                • Drops file in Program Files directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: MapViewOfSection
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:1972
                                            • C:\Users\Admin\AppData\Local\Temp\259559263\zmstage.exe
                                              C:\Users\Admin\AppData\Local\Temp\259559263\zmstage.exe
                                              1⤵
                                                PID:1208

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Program Files (x86)\Microsoft Eekyym\Bjobome.exe

                                                Filesize

                                                52KB

                                                MD5

                                                855d803590b82b805357587c47c583f2

                                                SHA1

                                                153458b9b7965f32a43b9d1fa87f84170599bd4a

                                                SHA256

                                                fd3cae55558bda7cf4290d5e9187504ab1f34adf948801ebff7d3fcb69f9e28f

                                                SHA512

                                                d009cff99535e5a8c79b013c4f0a073689f9bcad11a89a8e8110ca8afab88af947ac6c5c23078c04d1c85ef8b586657ce1bdf307da9e6cf4a51d0b11db59b536

                                              • \Windows\SysWOW64\wscript.exe

                                                Filesize

                                                165KB

                                                MD5

                                                ee97b6e581f1d25f682e1d272edf3c66

                                                SHA1

                                                f74b4e7cfaa36c0ccb5e7943cfbc713ac917409a

                                                SHA256

                                                5abee0c559481cb94a8285b40068c1abd71a542690799cf0c43063354bac81df

                                                SHA512

                                                1dff8490160d856226579699d6a0f072d6cbf57e70f0b634332c8a1d27ce0f1fe76ea0967560243c9b9cef142e1cc49a6f8887a4e428489de228d965855b2b84

                                              • memory/1972-0-0x0000000000400000-0x0000000000419000-memory.dmp

                                                Filesize

                                                100KB

                                              • memory/1972-3-0x0000000077DF0000-0x0000000077DF1000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/1972-2-0x0000000077DEF000-0x0000000077DF0000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/1972-9-0x000000007EF90000-0x000000007EF9C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/1972-7-0x0000000077DF0000-0x0000000077DF1000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/1972-8-0x0000000077DEF000-0x0000000077DF0000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/1972-17-0x000000007EF90000-0x000000007EF9C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/1972-16-0x0000000000400000-0x0000000000419000-memory.dmp

                                                Filesize

                                                100KB

                                              • memory/2948-5-0x0000000000400000-0x0000000000419000-memory.dmp

                                                Filesize

                                                100KB

                                              • memory/2948-13-0x0000000000400000-0x0000000000419000-memory.dmp

                                                Filesize

                                                100KB