Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 21:43
Static task
static1
Behavioral task
behavioral1
Sample
0ac231eea0af76b43bb40bda076c4413_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
0ac231eea0af76b43bb40bda076c4413_JaffaCakes118.dll
-
Size
3.9MB
-
MD5
0ac231eea0af76b43bb40bda076c4413
-
SHA1
b6f7ccb33174d20aca8b48991d384729460d3180
-
SHA256
c17a7b182420e173e0854526cdc357bcd6c8e0b8e89d1b84aeda3abf3f49ed0b
-
SHA512
4fbe87f94862582b34a29f837d7b61646d45db803c9f24d6963e25057276fcf48783f28feb045a310d4f23f08d6ecf2ead33bd7df9ad2f42eb62407f6f5c2d1d
-
SSDEEP
49152:ZuLzMD89v4uLzMD89v4uLzMD89v4uLzMD89v4uLzMD89v4uLzMD89v:QhvNhvNhvNhvNhvNhv
Malware Config
Signatures
-
Gh0st RAT payload 39 IoCs
resource yara_rule behavioral1/memory/1916-4-0x0000000010001000-0x000000001000D000-memory.dmp family_gh0strat behavioral1/memory/1916-5-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-13-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-12-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-14-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-15-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-16-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-17-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-18-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-19-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-20-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-21-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-22-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-23-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-24-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-25-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-26-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-27-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-28-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-29-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-30-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-31-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-32-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-33-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-34-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-35-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-36-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-37-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-38-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-39-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-40-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-41-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-42-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-43-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-44-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-45-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-46-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/1916-47-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral1/memory/2708-48-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 2708 svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1916 rundll32.exe 2708 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\Wab32g.dll rundll32.exe File created C:\Program Files (x86)\Common Files\System\Wab32g.dll rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 1916 rundll32.exe 2708 svchost.exe 2708 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 1916 rundll32.exe Token: SeRestorePrivilege 1916 rundll32.exe Token: SeBackupPrivilege 1916 rundll32.exe Token: SeRestorePrivilege 1916 rundll32.exe Token: SeBackupPrivilege 1916 rundll32.exe Token: SeRestorePrivilege 1916 rundll32.exe Token: SeBackupPrivilege 1916 rundll32.exe Token: SeRestorePrivilege 1916 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2580 wrote to memory of 1916 2580 rundll32.exe 28 PID 2580 wrote to memory of 1916 2580 rundll32.exe 28 PID 2580 wrote to memory of 1916 2580 rundll32.exe 28 PID 2580 wrote to memory of 1916 2580 rundll32.exe 28 PID 2580 wrote to memory of 1916 2580 rundll32.exe 28 PID 2580 wrote to memory of 1916 2580 rundll32.exe 28 PID 2580 wrote to memory of 1916 2580 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ac231eea0af76b43bb40bda076c4413_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ac231eea0af76b43bb40bda076c4413_JaffaCakes118.dll,#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD517f6a7597aca486a31c0293b8b3ca88f
SHA1fad53174067d6aa31bb2036ce409771386161fa1
SHA256e70794e534f272945fe649724144a773a3a7ef5edbbb2ba8bd3dd4705341b4dd
SHA51280732fd90e802eaa3bb5570ccd4aabf43b26bec2cb514912189f73237e59a64f969963b93dcf285b9c33e40c22163a00ec6f20500efe6d3a376271a4553b7408