Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 21:43
Static task
static1
Behavioral task
behavioral1
Sample
0ac231eea0af76b43bb40bda076c4413_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
0ac231eea0af76b43bb40bda076c4413_JaffaCakes118.dll
-
Size
3.9MB
-
MD5
0ac231eea0af76b43bb40bda076c4413
-
SHA1
b6f7ccb33174d20aca8b48991d384729460d3180
-
SHA256
c17a7b182420e173e0854526cdc357bcd6c8e0b8e89d1b84aeda3abf3f49ed0b
-
SHA512
4fbe87f94862582b34a29f837d7b61646d45db803c9f24d6963e25057276fcf48783f28feb045a310d4f23f08d6ecf2ead33bd7df9ad2f42eb62407f6f5c2d1d
-
SSDEEP
49152:ZuLzMD89v4uLzMD89v4uLzMD89v4uLzMD89v4uLzMD89v4uLzMD89v:QhvNhvNhvNhvNhvNhv
Malware Config
Signatures
-
Gh0st RAT payload 25 IoCs
resource yara_rule behavioral2/memory/4976-3-0x0000000010001000-0x000000001000D000-memory.dmp family_gh0strat behavioral2/memory/4976-4-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/4976-5-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/4976-10-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-15-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-16-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-17-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-19-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-20-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-21-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-22-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-23-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-24-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-25-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-26-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-27-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-28-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-29-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-30-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-31-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-32-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-33-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-34-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-35-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat behavioral2/memory/980-36-0x0000000010000000-0x0000000010177000-memory.dmp family_gh0strat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 980 svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4976 rundll32.exe 980 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\Wab32g.dll rundll32.exe File created C:\Program Files (x86)\Common Files\System\Wab32g.dll rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1316 4976 WerFault.exe 82 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4976 rundll32.exe 4976 rundll32.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe 980 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 4976 rundll32.exe Token: SeRestorePrivilege 4976 rundll32.exe Token: SeBackupPrivilege 4976 rundll32.exe Token: SeRestorePrivilege 4976 rundll32.exe Token: SeBackupPrivilege 4976 rundll32.exe Token: SeRestorePrivilege 4976 rundll32.exe Token: SeBackupPrivilege 4976 rundll32.exe Token: SeRestorePrivilege 4976 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4044 wrote to memory of 4976 4044 rundll32.exe 82 PID 4044 wrote to memory of 4976 4044 rundll32.exe 82 PID 4044 wrote to memory of 4976 4044 rundll32.exe 82
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ac231eea0af76b43bb40bda076c4413_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ac231eea0af76b43bb40bda076c4413_JaffaCakes118.dll,#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 9123⤵
- Program crash
PID:1316
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4976 -ip 49761⤵PID:2392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.5MB
MD50166dd9237d05880bd7cb158a197de6e
SHA126289d0ef5685c0ee8608ac887fabbaca4a99a30
SHA256fee9834ea7381ae432b0308a9bd796edc872e03682a62dc71ed87bddd166bb93
SHA512f454f3efaa8e3e373b184366a526e3e2d6c453571cac493a33739000a245f821adacaef10f483ed9ff2c484acc7db6ebf3a4d6cffe38534348c0ed7daa90d09f