Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 20:02
Behavioral task
behavioral1
Sample
0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe
-
Size
161KB
-
MD5
0a9415694a24f7ff671eb1fccc911e2b
-
SHA1
c1cd8a25c6e640e7935d11b1d6a4815fe121da90
-
SHA256
414f9780c0eac8892ddc5951822905db88d59e6ab101cfaeeee537c505023eed
-
SHA512
c8d5bfa2df7b3e86c25f08b80413b0481378d1a059cf8e435d0831c3a7ca5caffa617a7180e340eab366a2768126e0385ff1dfa57384335e892f1c37edd82fcc
-
SSDEEP
3072:JHOHBwifdtG79onTCBvqYzVKBaUi5zFy7oidbWYmubP:wHBwwdSSkKk1xQkidCQ
Malware Config
Signatures
-
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral1/memory/2836-2-0x0000000000400000-0x000000000042A000-memory.dmp family_gh0strat behavioral1/files/0x000c00000001224e-4.dat family_gh0strat behavioral1/memory/2836-9-0x0000000000400000-0x000000000042A000-memory.dmp family_gh0strat -
Loads dropped DLL 4 IoCs
pid Process 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\wi259401052nd.temp 0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2836 0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe 2836 0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2836 wrote to memory of 2560 2836 0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe 28 PID 2836 wrote to memory of 2560 2836 0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe 28 PID 2836 wrote to memory of 2560 2836 0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe 28 PID 2836 wrote to memory of 2560 2836 0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe 28 PID 2836 wrote to memory of 2560 2836 0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe 28 PID 2836 wrote to memory of 2560 2836 0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe 28 PID 2836 wrote to memory of 2560 2836 0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0a9415694a24f7ff671eb1fccc911e2b_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe Rundlla.dll, CodeMain lpServiceName2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2560
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20.1MB
MD5e3ca679c81b48fc1b3ec0fc6d06c1dc8
SHA157d5b6ba461cc763212c2f979f20f5dc17c19a77
SHA2565889004ff0ae3f671a25ab79e9bf76fa13a025467adaeed15a702b00d08cee76
SHA51285f30584253ce9b62217c764ee4687a9f2530574dc88fa4a8191a68115ecf6d3c6faca8118a6c20e3553b6a55dbd6a35696d533d59f4e29ae0d5bf8e66b5eae9