Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 14:57
Behavioral task
behavioral1
Sample
353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe
-
Size
5.0MB
-
MD5
353460cba8112c89e5f12205bccb7291
-
SHA1
240863a0f4daa9b7b9dbdbd55329694cd7c0f6d9
-
SHA256
1b4dedf68df2f9dbc11d379e13d9171e83ccfe4aa87307749e7e75837f5a171f
-
SHA512
a6ac12c03396e264e60fa4e5f7a00f132a9bd3465b21410692bbc5efa2ca334b3717c165ffc9c9b20a2e40c4755f7689c7ddcb12c02365d9a4db39f382f20446
-
SSDEEP
6144:Ex3hy2HYbRmb0EKmfC7Rfb4h00Lfb4h00q44g:Ex3hyYmmK9fsLfsmg
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000d0000000139f6-2.dat family_gh0strat -
Deletes itself 1 IoCs
pid Process 2768 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2208 RUNDLL32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\temp0\QQ.exe 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe File created \??\c:\Program Files\WINDOWSS.INI 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe File created C:\Program Files\temp0\QQ.exe 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2324 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe 2324 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe 2324 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2208 2324 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe 30 PID 2324 wrote to memory of 2208 2324 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe 30 PID 2324 wrote to memory of 2208 2324 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe 30 PID 2324 wrote to memory of 2208 2324 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe 30 PID 2324 wrote to memory of 2208 2324 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe 30 PID 2324 wrote to memory of 2208 2324 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe 30 PID 2324 wrote to memory of 2208 2324 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe 30 PID 2324 wrote to memory of 2768 2324 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe 32 PID 2324 wrote to memory of 2768 2324 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe 32 PID 2324 wrote to memory of 2768 2324 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe 32 PID 2324 wrote to memory of 2768 2324 353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\353460cba8112c89e5f12205bccb7291_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\RUNDLL32.exeRUNDLL32 "c:\Program Files\WINDOWSS.INI" main2⤵
- Loads dropped DLL
PID:2208
-
-
C:\Windows\SysWOW64\cmd.execmd /c afc9fe2f418b00a0.bat2⤵
- Deletes itself
PID:2768
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50de9cd045b4643ff552c48920422e07f
SHA1a8a4befa17cbdd72d057e6a72e0182cc1d4b2650
SHA256d4f6f97070eebe1c2ec0c8cf952479335505d40b5c0183cb70c1783bd2821417
SHA512434c2572c0acc0d0c7d167ab2f41b49656a5c557f299cad618e63f1b58d79ccb36bba77410d7c1f6c74a5999a284ef7564308c830b96856b73fd6e9f7cc39077
-
Filesize
10.3MB
MD54bb1e15c1105d842397f3cfc460ad734
SHA1abee0eb1928b9fbc7cba8321a3db0f909b52f68a
SHA25675715077634803e7da1cb89febfb179cd60cbf9f5f201dba284bbfd82101b2c4
SHA512690f9dfdd6fb40504e49c405d50ebdb38531f1543ddd51433c161e7a6b4489e5118d2f78daecd8026a26f16d674a105a9fa1d1b2cb1051833650c4d0a4e10823