Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 19:54
Behavioral task
behavioral1
Sample
0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe
Resource
win7-20240508-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe
Resource
win10v2004-20240508-en
0 signatures
150 seconds
General
-
Target
0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe
-
Size
128KB
-
MD5
0a8a26bc90f03f3b25b18f5ad7ae0d02
-
SHA1
59bc1c0142ac01dd31ac4a31faeac95a26709375
-
SHA256
6e39f0f603e132c310a13cd632acd0fffff216ea5607e263ddfcdb928eb8d161
-
SHA512
4435324774286045878ad2db1404b550f8444a30220426692571b7bf7a4d93df1d85c2fc7bcb16b8602dd9530a3f5b516586ff934a3522c80bd31754ea3cf8fa
-
SSDEEP
1536:QfuO2oDHFIGCaCch4c+LXfCW+MERBF93o2yo7WIQlGvXZ+i:muqHaGxh4BLPCW+MQFko7WIQlsXZ+i
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2064-0-0x0000000000400000-0x0000000000421000-memory.dmp family_gh0strat -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\:\Program Files\Common Files\svchost.exe 2024624195428.exe = "C:\\Program Files\\Common Files\\svchost.exe 2024624195428.exe" 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe -
Kills process with taskkill 2 IoCs
pid Process 1732 taskkill.exe 1672 taskkill.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1672 taskkill.exe Token: SeDebugPrivilege 1732 taskkill.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2064 wrote to memory of 1732 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe 28 PID 2064 wrote to memory of 1732 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe 28 PID 2064 wrote to memory of 1732 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe 28 PID 2064 wrote to memory of 1732 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe 28 PID 2064 wrote to memory of 1732 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe 28 PID 2064 wrote to memory of 1732 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe 28 PID 2064 wrote to memory of 1732 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe 28 PID 2064 wrote to memory of 1696 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe 29 PID 2064 wrote to memory of 1696 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe 29 PID 2064 wrote to memory of 1696 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe 29 PID 2064 wrote to memory of 1696 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe 29 PID 2064 wrote to memory of 1696 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe 29 PID 2064 wrote to memory of 1696 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe 29 PID 2064 wrote to memory of 1696 2064 0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe 29 PID 1696 wrote to memory of 1672 1696 svchost.exe 2024624195428.exe 31 PID 1696 wrote to memory of 1672 1696 svchost.exe 2024624195428.exe 31 PID 1696 wrote to memory of 1672 1696 svchost.exe 2024624195428.exe 31 PID 1696 wrote to memory of 1672 1696 svchost.exe 2024624195428.exe 31 PID 1696 wrote to memory of 1672 1696 svchost.exe 2024624195428.exe 31 PID 1696 wrote to memory of 1672 1696 svchost.exe 2024624195428.exe 31 PID 1696 wrote to memory of 1672 1696 svchost.exe 2024624195428.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0a8a26bc90f03f3b25b18f5ad7ae0d02_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ksafetray.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Program Files\Common Files\svchost.exe 2024624195428.exe"C:\Program Files\Common Files\svchost.exe 2024624195428.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Ksafetray.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-