Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2024, 05:59
Static task
static1
Behavioral task
behavioral1
Sample
21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
-
Size
710KB
-
MD5
21500155f442187001dd2e9371e4e21a
-
SHA1
4f1e9970ce02081642f36554fe897ea72f169124
-
SHA256
89479065919be4eb81a9348dd813ffc6f4f0a12018a63480de16a9b3d4f73e22
-
SHA512
621c7c8d5d80ca5f12763a3fae40d124db141e83744b900d89f9db5aa67a16e26e7bb8c393e74b04cb327ff803f3c8670c374049509a91d48563553d2d9ad67b
-
SSDEEP
12288:UN23D7X/plD07IRlPrEsNll+EgC8UZj1rM6rL5A3s6ba/u2CpLIxbk3+RVlk3W:UNg7TP9XbD1/Rk3tORVlk3W
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral2/memory/1464-4-0x0000000000400000-0x000000000058F000-memory.dmp family_gh0strat behavioral2/files/0x00080000000235e7-6.dat family_gh0strat behavioral2/files/0x000b0000000235ef-15.dat family_gh0strat behavioral2/memory/1464-17-0x0000000000400000-0x000000000058F000-memory.dmp family_gh0strat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Wine 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
pid Process 1464 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe 2256 svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1464 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe File created C:\Program Files (x86)\Xtuv\Dtuvwxyab.jpg 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1464 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe 1464 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe 2256 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 648 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 1464 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe Token: SeRestorePrivilege 1464 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe Token: SeBackupPrivilege 1464 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe Token: SeRestorePrivilege 1464 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe Token: SeBackupPrivilege 1464 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe Token: SeRestorePrivilege 1464 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe Token: SeBackupPrivilege 1464 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe Token: SeRestorePrivilege 1464 21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21500155f442187001dd2e9371e4e21a_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4036,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:81⤵PID:112
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD5648f927dd8fcb0ffdac042788659e472
SHA11cab65c17b369a4e3411744ba6879ad14e27d3da
SHA256a4221ac068766150ae831b81cde293cae38fb1984c648522a563c1d48ca4750e
SHA5127d11a74755cb3007fdf1f34f44098402ccaf0a5833d009e25e7f54d1c42bdfb1c1025437468960700d8e8c708c7240ab93efbe2d802c16da7735434420e34bfb
-
Filesize
5.0MB
MD510395761bcd5271af1cce7bdee8cab2e
SHA1b262e1f3190c78cc74e1d5264ce82e0a9c75faba
SHA25696b893ef9cd60e2d36c10d504fe45140c91d706c9ef8bb95ee4fc6051ccb9a84
SHA512013a3938e5b201baf06ca8fe894d8d32b4b53852b55cc90fe354b3d3377386cc6f054a066e8798b9d83d9311853d0de211eca7b52a982d7ac034e70097dd0d0a