Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 04:46
Static task
static1
Behavioral task
behavioral1
Sample
bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe
-
Size
96KB
-
MD5
bdeae0db47216ff68d46763fe6cab9f8
-
SHA1
b8f1fe96444e83c1a48497c7469c04ed5e9c7787
-
SHA256
023d3b4d9ccb843ceb8e367ae2dd2a84a7d9834bdcc2dac60a112f10eb4ad189
-
SHA512
bf825dd542f62c1fe6ec688940812d46bbb4aa72c394e53017e90871044dc457675f9d9baf377d04a9b176c967a108e6225ffc0df8f6933710785f2519c5d0a4
-
SSDEEP
1536:xhFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr5lqiOaN:x3S4jHS8q/3nTzePCwNUh4E95l8aN
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral2/files/0x0009000000023465-14.dat family_gh0strat behavioral2/memory/4436-16-0x0000000000400000-0x000000000044E2EC-memory.dmp family_gh0strat behavioral2/memory/4720-19-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/1424-24-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/2292-29-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
pid Process 4436 gpvwitbbue -
Executes dropped EXE 1 IoCs
pid Process 4436 gpvwitbbue -
Loads dropped DLL 3 IoCs
pid Process 4720 svchost.exe 1424 svchost.exe 2292 svchost.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\ywreudxudd svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\ygosewsadm svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\yodlmavwqi svchost.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 3396 4720 WerFault.exe 93 5088 1424 WerFault.exe 99 1380 2292 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpvwitbbue Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4436 gpvwitbbue 4436 gpvwitbbue -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeRestorePrivilege 4436 gpvwitbbue Token: SeBackupPrivilege 4436 gpvwitbbue Token: SeBackupPrivilege 4436 gpvwitbbue Token: SeRestorePrivilege 4436 gpvwitbbue Token: SeBackupPrivilege 4720 svchost.exe Token: SeRestorePrivilege 4720 svchost.exe Token: SeBackupPrivilege 4720 svchost.exe Token: SeBackupPrivilege 4720 svchost.exe Token: SeSecurityPrivilege 4720 svchost.exe Token: SeSecurityPrivilege 4720 svchost.exe Token: SeBackupPrivilege 4720 svchost.exe Token: SeBackupPrivilege 4720 svchost.exe Token: SeSecurityPrivilege 4720 svchost.exe Token: SeBackupPrivilege 4720 svchost.exe Token: SeBackupPrivilege 4720 svchost.exe Token: SeSecurityPrivilege 4720 svchost.exe Token: SeBackupPrivilege 4720 svchost.exe Token: SeRestorePrivilege 4720 svchost.exe Token: SeBackupPrivilege 1424 svchost.exe Token: SeRestorePrivilege 1424 svchost.exe Token: SeBackupPrivilege 1424 svchost.exe Token: SeBackupPrivilege 1424 svchost.exe Token: SeSecurityPrivilege 1424 svchost.exe Token: SeSecurityPrivilege 1424 svchost.exe Token: SeBackupPrivilege 1424 svchost.exe Token: SeBackupPrivilege 1424 svchost.exe Token: SeSecurityPrivilege 1424 svchost.exe Token: SeBackupPrivilege 1424 svchost.exe Token: SeBackupPrivilege 1424 svchost.exe Token: SeSecurityPrivilege 1424 svchost.exe Token: SeBackupPrivilege 1424 svchost.exe Token: SeRestorePrivilege 1424 svchost.exe Token: SeBackupPrivilege 2292 svchost.exe Token: SeRestorePrivilege 2292 svchost.exe Token: SeBackupPrivilege 2292 svchost.exe Token: SeBackupPrivilege 2292 svchost.exe Token: SeSecurityPrivilege 2292 svchost.exe Token: SeSecurityPrivilege 2292 svchost.exe Token: SeBackupPrivilege 2292 svchost.exe Token: SeBackupPrivilege 2292 svchost.exe Token: SeSecurityPrivilege 2292 svchost.exe Token: SeBackupPrivilege 2292 svchost.exe Token: SeBackupPrivilege 2292 svchost.exe Token: SeSecurityPrivilege 2292 svchost.exe Token: SeBackupPrivilege 2292 svchost.exe Token: SeRestorePrivilege 2292 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2628 wrote to memory of 4436 2628 bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe 87 PID 2628 wrote to memory of 4436 2628 bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe 87 PID 2628 wrote to memory of 4436 2628 bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\users\admin\appdata\local\gpvwitbbue"C:\Users\Admin\AppData\Local\Temp\bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\bdeae0db47216ff68d46763fe6cab9f8_jaffacakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4720 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 8442⤵
- Program crash
PID:3396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4720 -ip 47201⤵PID:940
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 10522⤵
- Program crash
PID:5088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1424 -ip 14241⤵PID:3648
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 11002⤵
- Program crash
PID:1380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2292 -ip 22921⤵PID:4916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202B
MD5b0b33a9326e0bce67d5a2ec6b86723a8
SHA1684eced70f81b00f05e0b80179befef9350cf386
SHA256b5d9a96afc483b0485674009d4ded3758811484127b99a60f9bf30c4b523af91
SHA51292ca6be74b7dd4323fa14b3ca6d85c34fc14d719d9cf42343d8e2ba4e37810b0fc48892a7e69459d174c835b478a3ecc4e59bc5adf8103d56c2f3894cf81714e
-
Filesize
303B
MD5e5bf6bc14c98f7e912026e8386722b62
SHA1e46d2d54dab20ebb9c4084bee69f74ee769d13b1
SHA25610c3d02dc0179307fe3fc09029d8ce695858e7b2934a467320fed4e0f47729e2
SHA5121f0ddf98ecd9aae39b2be6f96496e3238d84c3eb21747b7756d17b79c3d4226bd8a3698bf9bbedc76643767b73d2ae5c70b0e5d7577a1bba9964b591b1bcab7e
-
Filesize
20.1MB
MD58eb32f0aab7a7b9c23cf1197cc9e06d1
SHA13d1f1e6f906b5d7463f68100d966451b3f867391
SHA2565424679fc32b28f1c2deffe8d78f7dc56e98584ed5f80bbf457446d593983fe2
SHA51274ac8f8c9c3e7276d61193e2e42514d9aa192a30c472b548ecea75628110d41650710627a889797eab812c39b97bf69b276c4d6b75ad5a21b57f10c5db020765
-
Filesize
23.0MB
MD542f9f75e87de93fb359459f759cbcc1f
SHA1d73a2877073b071ebf9d9bd378b320e47bf3e4a4
SHA25658307f81ce30eb5480d4b28d642e845ad4ed23256996e1940464f42ad53ec6b6
SHA512fd0d428e694b596c9a6da935e94a10aea4235344b4c9be367765b59e999f33b08cb9a84e7d383913560467c9987aa60264649f80f3890e44ec7f7a46bfccd89e