Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe
-
Size
96KB
-
MD5
0a54aa06961b372d7b08ea3d441e0d64
-
SHA1
3e79b93d1dbfcd5beb39da26774ba85e0f8bb5ec
-
SHA256
55f4bec3680f7d11105834785cbe2638d5114a0ca564e74ab59efbddbb2b2eee
-
SHA512
2e287d461650b61214ee112be487b8e8105e1658bc9e7970d1646aff005a56cccc7dff1fb3aaca99f0c17b88e0d8386a695c71a7c1ee44a44aac0227080eaed0
-
SSDEEP
3072:C+S4jHS8q/3nTzePCwNUh4E92HmuLAUSmc:Cx428q/nTzePCwG7cmg6
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral2/memory/2060-14-0x0000000000400000-0x000000000044E29C-memory.dmp family_gh0strat behavioral2/files/0x0008000000023266-15.dat family_gh0strat behavioral2/memory/5068-20-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/908-25-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/4384-30-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
pid Process 2060 ncodkxuigu -
Executes dropped EXE 1 IoCs
pid Process 2060 ncodkxuigu -
Loads dropped DLL 3 IoCs
pid Process 5068 svchost.exe 908 svchost.exe 4384 svchost.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\wqwuyiwahr svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\wycsfuhqiy svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\wysxeeojvk svchost.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 4044 5068 WerFault.exe 91 3444 908 WerFault.exe 99 2084 4384 WerFault.exe 103 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2060 ncodkxuigu 2060 ncodkxuigu -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeRestorePrivilege 2060 ncodkxuigu Token: SeBackupPrivilege 2060 ncodkxuigu Token: SeBackupPrivilege 2060 ncodkxuigu Token: SeRestorePrivilege 2060 ncodkxuigu Token: SeBackupPrivilege 5068 svchost.exe Token: SeRestorePrivilege 5068 svchost.exe Token: SeBackupPrivilege 5068 svchost.exe Token: SeBackupPrivilege 5068 svchost.exe Token: SeSecurityPrivilege 5068 svchost.exe Token: SeSecurityPrivilege 5068 svchost.exe Token: SeBackupPrivilege 5068 svchost.exe Token: SeBackupPrivilege 5068 svchost.exe Token: SeSecurityPrivilege 5068 svchost.exe Token: SeBackupPrivilege 5068 svchost.exe Token: SeBackupPrivilege 5068 svchost.exe Token: SeSecurityPrivilege 5068 svchost.exe Token: SeBackupPrivilege 5068 svchost.exe Token: SeRestorePrivilege 5068 svchost.exe Token: SeBackupPrivilege 908 svchost.exe Token: SeRestorePrivilege 908 svchost.exe Token: SeBackupPrivilege 908 svchost.exe Token: SeBackupPrivilege 908 svchost.exe Token: SeSecurityPrivilege 908 svchost.exe Token: SeSecurityPrivilege 908 svchost.exe Token: SeBackupPrivilege 908 svchost.exe Token: SeBackupPrivilege 908 svchost.exe Token: SeSecurityPrivilege 908 svchost.exe Token: SeBackupPrivilege 908 svchost.exe Token: SeBackupPrivilege 908 svchost.exe Token: SeSecurityPrivilege 908 svchost.exe Token: SeBackupPrivilege 908 svchost.exe Token: SeRestorePrivilege 908 svchost.exe Token: SeBackupPrivilege 4384 svchost.exe Token: SeRestorePrivilege 4384 svchost.exe Token: SeBackupPrivilege 4384 svchost.exe Token: SeBackupPrivilege 4384 svchost.exe Token: SeSecurityPrivilege 4384 svchost.exe Token: SeSecurityPrivilege 4384 svchost.exe Token: SeBackupPrivilege 4384 svchost.exe Token: SeBackupPrivilege 4384 svchost.exe Token: SeSecurityPrivilege 4384 svchost.exe Token: SeBackupPrivilege 4384 svchost.exe Token: SeBackupPrivilege 4384 svchost.exe Token: SeSecurityPrivilege 4384 svchost.exe Token: SeBackupPrivilege 4384 svchost.exe Token: SeRestorePrivilege 4384 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3620 wrote to memory of 2060 3620 0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe 90 PID 3620 wrote to memory of 2060 3620 0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe 90 PID 3620 wrote to memory of 2060 3620 0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\users\admin\appdata\local\ncodkxuigu"C:\Users\Admin\AppData\Local\Temp\0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\0a54aa06961b372d7b08ea3d441e0d64_jaffacakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 10842⤵
- Program crash
PID:4044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5068 -ip 50681⤵PID:3204
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 10642⤵
- Program crash
PID:3444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 908 -ip 9081⤵PID:3804
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4384 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 11082⤵
- Program crash
PID:2084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4384 -ip 43841⤵PID:3220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3732 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵PID:2236
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22.2MB
MD55a574d246c585e48f4689c513d8fee56
SHA1ce380ea5a0e2d91a01241c6ffa0c51db8691e6f1
SHA25690785eb4dbfa2868aa3eaa96bedc0900bfb3049ee665c83b66c267bc28ee9c0a
SHA51287d9fef05714aac3dbfa17e64677160a390d85ae0346cee420e55839572556590cdde0753ecd285d250ec78442a6ecf08a4f7807d1164950158dedd51998f8f0
-
Filesize
204B
MD5110977b10ff698183a821c3a23a4ce6e
SHA1dad6d6ffccb67205157164f478c07edd7981bf25
SHA256a0483f5aab467488e5f948c275c08ef54335a5f3df30b1d9895d2901e2a3bb14
SHA51292ac52ee5c0212b5814833919eb447946bbd935d5aa834e666ae57490ca8e6bea191d10238d2db1fba6deefe1f24d6cc18443ea290a30f72ca786876dde9541a
-
Filesize
306B
MD5b184afa1e84bf5872a392474d782bd4a
SHA19828cf97410e31884ceeb018a15599654b50cee3
SHA256913577107f54d0f57851d06cc2dc288eeba04153987ce942b28ac4cd1ac9662a
SHA512030fcaa185107f14166e41c3d7650b8830055802123385f7424c7a339cf69c47cc6835aa1a8c18e99720c7e1e793b9fad4f1dfb32b1b6273f795079debf87c6e
-
Filesize
24.0MB
MD5819eff2cb0c3d6aab89eae1532939bc6
SHA1a066f6e598386ee2a87a03b21c7ef46faa284b0e
SHA256a2b5f6395998c5723b5cedd9cc02f0863198f2c3dc753d6056aeea97a51b4527
SHA512d320503c2c3e0c0b3cbeb5144579bc298c78c74b5fc3b1b6d9e273cc5b1ee40a6017380e280c20f205c62c10a9c11efc865661bfcdff02ca9836c20be703e44e