Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 19:21
Behavioral task
behavioral1
Sample
0a6170316dae449020d8a5d174619ae0_JaffaCakes118.dll
Resource
win7-20240611-en
General
-
Target
0a6170316dae449020d8a5d174619ae0_JaffaCakes118.dll
-
Size
133KB
-
MD5
0a6170316dae449020d8a5d174619ae0
-
SHA1
d5e9958aae11182f6eba0abb4e199bb54626b0fb
-
SHA256
597d558551b63beca0176e6cb69915cc8faa87afdc26bb3b023b00c6c8729ef1
-
SHA512
7c7a3cea597823d7bb473e57008e654d2e36fa9e38ed9856569c0f8a588619678958d1621b556310e4b3264d1f4a7b61418f40a0f47755126fd4741335009ddc
-
SSDEEP
3072:bixrcYyNNBxIf58d6UuSMhXk22T94oz7vEEZzcEQJO:aANBxIxh0u4TSg7vECzc30
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0033000000016cdc-3.dat family_gh0strat -
Loads dropped DLL 1 IoCs
pid Process 2656 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Iefg\Nefghijkl.pic rundll32.exe File created C:\Program Files (x86)\Iefg\Nefghijkl.pic rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 3008 rundll32.exe Token: SeRestorePrivilege 3008 rundll32.exe Token: SeBackupPrivilege 3008 rundll32.exe Token: SeRestorePrivilege 3008 rundll32.exe Token: SeBackupPrivilege 3008 rundll32.exe Token: SeRestorePrivilege 3008 rundll32.exe Token: SeBackupPrivilege 3008 rundll32.exe Token: SeRestorePrivilege 3008 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 840 wrote to memory of 3008 840 rundll32.exe 28 PID 840 wrote to memory of 3008 840 rundll32.exe 28 PID 840 wrote to memory of 3008 840 rundll32.exe 28 PID 840 wrote to memory of 3008 840 rundll32.exe 28 PID 840 wrote to memory of 3008 840 rundll32.exe 28 PID 840 wrote to memory of 3008 840 rundll32.exe 28 PID 840 wrote to memory of 3008 840 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0a6170316dae449020d8a5d174619ae0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0a6170316dae449020d8a5d174619ae0_JaffaCakes118.dll,#12⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2656
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD5361db6247af22514437a7a77bddb67fa
SHA10d8a21d350efaf780fef7c6e4582f5eeb7a535e9
SHA256a13d8ec17413ce7ccab509fbcf1673f3274c011c50de4586e0c31cb4fcda7203
SHA51290ceaa50a26c234a4fb70e70d023130d43f167bc033052ef7b8bf2a54329e563db22b2f2c8b58d9adfa956efd87ac8648cb3eb7e7dccbbdd6c3774259079e29c