Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 19:57
Behavioral task
behavioral1
Sample
0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe
-
Size
100KB
-
MD5
0a8df3f09733e758a21b2f081f4e56fc
-
SHA1
9ddca2907734f6f0e6a76b2bab015a6aae623c68
-
SHA256
a8e61c2a9ec74f9de2c7342d6aca09bd6d3037ad6f47dd02726e50eef553260c
-
SHA512
5e57feaea0aa8f7b2ffa198779a92356e15830cd9da1048715b6c0d7c318a1455e9d85db819deb7ba2726b580c87b977af210c0c1037372df55ff7a56c532edc
-
SSDEEP
1536:WFFB3T1uLq8eMC+GVN+FI2LDpstMRuzpd1u9dwiFskCL8WvBfoOF8e:aT1ulLtGVN+J1suRazy6i1W5AOSe
Malware Config
Signatures
-
Gh0st RAT payload 7 IoCs
resource yara_rule behavioral2/memory/1640-7-0x0000000000400000-0x0000000000436000-memory.dmp family_gh0strat behavioral2/memory/3740-8-0x0000000000400000-0x0000000000436000-memory.dmp family_gh0strat behavioral2/files/0x000800000002346d-11.dat family_gh0strat behavioral2/memory/3740-13-0x0000000000400000-0x0000000000436000-memory.dmp family_gh0strat behavioral2/memory/4436-16-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/4960-21-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/4680-26-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
pid Process 3740 pqosvqphcu -
Executes dropped EXE 1 IoCs
pid Process 3740 pqosvqphcu -
Loads dropped DLL 3 IoCs
pid Process 4436 svchost.exe 4960 svchost.exe 4680 svchost.exe -
resource yara_rule behavioral2/memory/1640-0-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/files/0x0008000000023468-4.dat upx behavioral2/memory/1640-7-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3740-8-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3740-13-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\erqlrwmite svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\eaffaaoghy svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\eaffaaoghy svchost.exe File created C:\Windows\SysWOW64\ejcsjtjlhj svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Tencent\%SESSIONNAME%\pfkdf.xm pqosvqphcu -
Program crash 3 IoCs
pid pid_target Process procid_target 552 4436 WerFault.exe 91 1824 4960 WerFault.exe 96 2584 4680 WerFault.exe 99 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3740 pqosvqphcu 3740 pqosvqphcu -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeRestorePrivilege 3740 pqosvqphcu Token: SeBackupPrivilege 3740 pqosvqphcu Token: SeBackupPrivilege 3740 pqosvqphcu Token: SeRestorePrivilege 3740 pqosvqphcu Token: SeBackupPrivilege 4436 svchost.exe Token: SeRestorePrivilege 4436 svchost.exe Token: SeBackupPrivilege 4436 svchost.exe Token: SeBackupPrivilege 4436 svchost.exe Token: SeSecurityPrivilege 4436 svchost.exe Token: SeSecurityPrivilege 4436 svchost.exe Token: SeBackupPrivilege 4436 svchost.exe Token: SeBackupPrivilege 4436 svchost.exe Token: SeSecurityPrivilege 4436 svchost.exe Token: SeBackupPrivilege 4436 svchost.exe Token: SeBackupPrivilege 4436 svchost.exe Token: SeSecurityPrivilege 4436 svchost.exe Token: SeBackupPrivilege 4436 svchost.exe Token: SeRestorePrivilege 4436 svchost.exe Token: SeBackupPrivilege 4960 svchost.exe Token: SeRestorePrivilege 4960 svchost.exe Token: SeBackupPrivilege 4960 svchost.exe Token: SeBackupPrivilege 4960 svchost.exe Token: SeSecurityPrivilege 4960 svchost.exe Token: SeSecurityPrivilege 4960 svchost.exe Token: SeBackupPrivilege 4960 svchost.exe Token: SeBackupPrivilege 4960 svchost.exe Token: SeSecurityPrivilege 4960 svchost.exe Token: SeBackupPrivilege 4960 svchost.exe Token: SeBackupPrivilege 4960 svchost.exe Token: SeSecurityPrivilege 4960 svchost.exe Token: SeBackupPrivilege 4960 svchost.exe Token: SeRestorePrivilege 4960 svchost.exe Token: SeBackupPrivilege 4680 svchost.exe Token: SeSecurityPrivilege 4680 svchost.exe Token: SeBackupPrivilege 4680 svchost.exe Token: SeRestorePrivilege 4680 svchost.exe Token: SeSecurityPrivilege 4680 svchost.exe Token: SeBackupPrivilege 4680 svchost.exe Token: SeBackupPrivilege 4680 svchost.exe Token: SeSecurityPrivilege 4680 svchost.exe Token: SeBackupPrivilege 4680 svchost.exe Token: SeBackupPrivilege 4680 svchost.exe Token: SeSecurityPrivilege 4680 svchost.exe Token: SeBackupPrivilege 4680 svchost.exe Token: SeRestorePrivilege 4680 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1640 wrote to memory of 3740 1640 0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe 86 PID 1640 wrote to memory of 3740 1640 0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe 86 PID 1640 wrote to memory of 3740 1640 0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\users\admin\appdata\local\pqosvqphcu"C:\Users\Admin\AppData\Local\Temp\0a8df3f09733e758a21b2f081f4e56fc_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\0a8df3f09733e758a21b2f081f4e56fc_jaffacakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4436 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 10882⤵
- Program crash
PID:552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4436 -ip 44361⤵PID:2788
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 8802⤵
- Program crash
PID:1824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4960 -ip 49601⤵PID:1624
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 8202⤵
- Program crash
PID:2584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4680 -ip 46801⤵PID:1748
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21.2MB
MD56ca60b7955e288fdb3e5715de0725dee
SHA15ecf07516bc9eb845e381d79c4b41574d394147e
SHA2566bdb61eae76ffd0086abf3ca9f702adfa774ab56914210feaf7ed17fe330fef6
SHA5128e009a63aa664e93400feda3be58d39b6d036ac2a43cb7c350a11b22f6273a30c02f95ec164fba0a5b99b7c861ba72d14f75081296c054374090d6f3d61d6d55
-
Filesize
204B
MD5d41463aaaf713e8800648adf7340cd50
SHA19d50734007e018bd90a606729913302c83de7f41
SHA256c6ace6432658275a11973ad7d76099fde7152a2bb307dcc97747d349a5868d0b
SHA512c37a5dbdf800d469e895cb512d4976a88eee9588f213cd3ae61f82b11ba48c885b7efadc2e0aacff3013810c614b4aa3700dfd5cfaf80d9639302bb627a952d1
-
Filesize
306B
MD570c2ba1b248ef1d976b516a2d538b058
SHA1854767fd4beaf1fa03d52d8b1113b6017f908162
SHA256440d2449e05b281d3a22ec632f7fbb2a264b13a0257c8020eea1f96767214012
SHA512bb84aaa66eb3bd777556cac075ed35094edeab478b4e5babc0c09b75aa5c68d250b13a5be3bf0c8fea52a0064bd80ea417dbe0af4ea0e757f708aeefb08fabc4
-
Filesize
24.0MB
MD5ba4515873674fa81363e6bdcc34f7415
SHA171b8b28bfd66964fd9bb77977312352b5574ae79
SHA256904c90a40abfdd45dde701e04c166239e2e99f042edda8e45158de8088471e2c
SHA512a68fb1ac3b096e72b0479502635df17ac3f5180c06a553e5bf15ae8c2222ab775bf14bf066735b7c1d7f6c811bece070432295fede8fb93301f961e27b37247f