Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2024, 17:20
Behavioral task
behavioral1
Sample
3b3496e812e85d90e34ade8023737fed_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
3b3496e812e85d90e34ade8023737fed_JaffaCakes118.dll
-
Size
1.4MB
-
MD5
3b3496e812e85d90e34ade8023737fed
-
SHA1
2e17dd846d2c90ee0e4574be67b13c1e1b9a3eca
-
SHA256
d06d8867e3c33eb06dcae7b633ff8f482fff412ca07e3311116dab81b9c629b0
-
SHA512
3e5fbdca678dd222489f75dd5066e852b8673106125032df772462166f344b0618ca7d7ed9f66654482bf9434aba23fd0cb94e5de5aeacf09cde8f53de198cb2
-
SSDEEP
3072:jer6rezBrn25iMt/DFGau8Ev4EuQHhZJsf++k22222222222222222222222222d:wzBr20WZGtVQxuZJsn6
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0010000000023b90-3.dat family_gh0strat -
Loads dropped DLL 1 IoCs
pid Process 1172 svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\FileName.jpg rundll32.exe File created C:\Windows\FileName.jpg rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe 1172 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 4112 rundll32.exe Token: SeRestorePrivilege 4112 rundll32.exe Token: SeBackupPrivilege 4112 rundll32.exe Token: SeRestorePrivilege 4112 rundll32.exe Token: SeBackupPrivilege 4112 rundll32.exe Token: SeRestorePrivilege 4112 rundll32.exe Token: SeBackupPrivilege 4112 rundll32.exe Token: SeRestorePrivilege 4112 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3688 wrote to memory of 4112 3688 rundll32.exe 83 PID 3688 wrote to memory of 4112 3688 rundll32.exe 83 PID 3688 wrote to memory of 4112 3688 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b3496e812e85d90e34ade8023737fed_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b3496e812e85d90e34ade8023737fed_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.6MB
MD5b9266ca1af00758f5daf929b3dc2df4a
SHA118cc3cdb87e76954dba656480bd9208ea73bea03
SHA2562783e87dbde146f02f087b40e67803d7e47fecd1c30cda1c76af18840b8d5895
SHA512c521e86a06c502137c2a23231e65e6acfbca9fe794de666daae1826b6c8f97b08fcb34dd1753366788fca6d20476ac83030a6be14d121da137e0ef3b6bc0b9cd