Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 14:52
Behavioral task
behavioral1
Sample
1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe
-
Size
196KB
-
MD5
1667bc2ccace57daf8068ab201dc0996
-
SHA1
7bf309aa53e691f6c168ccf2d2d05628855f33d2
-
SHA256
3fd9d905d9b08c22bb5517bd4e6a1d95c5e0c2deba4fda089b7ff5dac1343810
-
SHA512
e346239c0a43b0ee96aab8f023586a3139e985e99caad6f95c961625ad305c16564995c96d2b4691f63021e5b9aee49eef6ef2f52b8a027b8440e01118c68396
-
SSDEEP
3072:iIXD6tSGloVFwz8BD0cjRTyVwdUE3AZnC69NJ09sTpwWwo:izlQwz8BDpWwOUA1C6rTuWf
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000014457-8.dat family_gh0strat behavioral1/files/0x0039000000014709-16.dat family_gh0strat -
Blocklisted process makes network request 2 IoCs
flow pid Process 2 2660 RUNDLL32.exe 5 2660 RUNDLL32.exe -
Executes dropped EXE 1 IoCs
pid Process 2976 OATH.EXE -
Loads dropped DLL 1 IoCs
pid Process 2660 RUNDLL32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created \??\c:\Program Files\WINDOWSS.INI OATH.EXE File created C:\Program Files\temp0\QQ.exe OATH.EXE File opened for modification C:\Program Files\temp0\QQ.exe OATH.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2488 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2976 OATH.EXE 2976 OATH.EXE 2976 OATH.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2488 taskkill.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2976 2932 1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe 28 PID 2932 wrote to memory of 2976 2932 1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe 28 PID 2932 wrote to memory of 2976 2932 1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe 28 PID 2932 wrote to memory of 2976 2932 1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe 28 PID 2976 wrote to memory of 2488 2976 OATH.EXE 29 PID 2976 wrote to memory of 2488 2976 OATH.EXE 29 PID 2976 wrote to memory of 2488 2976 OATH.EXE 29 PID 2976 wrote to memory of 2488 2976 OATH.EXE 29 PID 2976 wrote to memory of 2660 2976 OATH.EXE 31 PID 2976 wrote to memory of 2660 2976 OATH.EXE 31 PID 2976 wrote to memory of 2660 2976 OATH.EXE 31 PID 2976 wrote to memory of 2660 2976 OATH.EXE 31 PID 2976 wrote to memory of 2660 2976 OATH.EXE 31 PID 2976 wrote to memory of 2660 2976 OATH.EXE 31 PID 2976 wrote to memory of 2660 2976 OATH.EXE 31 PID 2976 wrote to memory of 1556 2976 OATH.EXE 33 PID 2976 wrote to memory of 1556 2976 OATH.EXE 33 PID 2976 wrote to memory of 1556 2976 OATH.EXE 33 PID 2976 wrote to memory of 1556 2976 OATH.EXE 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\OATH.EXE"C:\OATH.EXE"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im KSafeTray.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\SysWOW64\RUNDLL32.exeRUNDLL32 "c:\Program Files\WINDOWSS.INI" main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2660
-
-
C:\Windows\SysWOW64\cmd.execmd /c afc9fe2f418b00a0.bat3⤵PID:1556
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD5a006cb4129f531243592629f040c9d94
SHA1c121bff36f16b42ac308556a08b6addab945f250
SHA256a5da7a8f657772cee923b5c3d320096418172df7be8830095bab3d226e2d9730
SHA51289d6135a15fe8b98915ad648a9bf7e6e961b07d7c3280560aec1d334be2af2a94d3e268ec131ff29ffe118f2f637d25883e57e4ae76be5cbf6029cd86f9b4d6f
-
Filesize
2KB
MD51c986aff5f096275f33a8458137e1619
SHA128f976a3467e5dbccdcf67843ccc1e6a00a9d125
SHA25650c9ab50bbc41c759d697e4638eb518517f127d6d674c801b03654a1b224441c
SHA51227f26ef9ce4185250d892ac80a0af629c98bbb8a13103ca9f77d09d4cfa7f1f27b2a90643ac2daf4decfcddd1c70deab4fec4d3b995d3360fc8bc0428bf4db50
-
Filesize
10.3MB
MD5798ba40c2af669b0eee2a598dadf0759
SHA14c384c78513fc28f4fb612f7f9f014255e77d3c9
SHA256f63539d1a59625f0c460a17496e619bdcd88e6587523cf74c7104da8431a798d
SHA5125d02d5823e10f64f02b517accab3b80fb02cb43fbadefcba0e1a81c57e61f754a92896c417131bf3b34c3069d5752a6242c1ba96afda31e5ffdbed5dbf4f8ea0