Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 19:21
Behavioral task
behavioral1
Sample
0a6170316dae449020d8a5d174619ae0_JaffaCakes118.dll
Resource
win7-20240611-en
General
-
Target
0a6170316dae449020d8a5d174619ae0_JaffaCakes118.dll
-
Size
133KB
-
MD5
0a6170316dae449020d8a5d174619ae0
-
SHA1
d5e9958aae11182f6eba0abb4e199bb54626b0fb
-
SHA256
597d558551b63beca0176e6cb69915cc8faa87afdc26bb3b023b00c6c8729ef1
-
SHA512
7c7a3cea597823d7bb473e57008e654d2e36fa9e38ed9856569c0f8a588619678958d1621b556310e4b3264d1f4a7b61418f40a0f47755126fd4741335009ddc
-
SSDEEP
3072:bixrcYyNNBxIf58d6UuSMhXk22T94oz7vEEZzcEQJO:aANBxIxh0u4TSg7vECzc30
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000b000000023407-3.dat family_gh0strat -
Loads dropped DLL 1 IoCs
pid Process 4728 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Iefg\Nefghijkl.pic rundll32.exe File created C:\Program Files (x86)\Iefg\Nefghijkl.pic rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe 4728 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 3172 rundll32.exe Token: SeRestorePrivilege 3172 rundll32.exe Token: SeBackupPrivilege 3172 rundll32.exe Token: SeRestorePrivilege 3172 rundll32.exe Token: SeBackupPrivilege 3172 rundll32.exe Token: SeRestorePrivilege 3172 rundll32.exe Token: SeBackupPrivilege 3172 rundll32.exe Token: SeRestorePrivilege 3172 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4640 wrote to memory of 3172 4640 rundll32.exe 80 PID 4640 wrote to memory of 3172 4640 rundll32.exe 80 PID 4640 wrote to memory of 3172 4640 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0a6170316dae449020d8a5d174619ae0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0a6170316dae449020d8a5d174619ae0_JaffaCakes118.dll,#12⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4728
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.0MB
MD58e83b22e7b94e821fea5470fa1a666f8
SHA1f7effcc710ae8a8894cd55280e136c798cff8fad
SHA2567919d851c5aaa4b05b647e47ef6a02d790a8f422a67a169a073a9bf061ad63d3
SHA512833c2333b649e70dd50a3eabe635e9626760ea3464b01bb7bc9f04b17d843abc5a9a463af9ba526597c80abb5dd1eeadef01feb56b9d7f117f54c7c75c0d3dc7