Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 02:57
Behavioral task
behavioral1
Sample
3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe
-
Size
134KB
-
MD5
3d6b6f6ba4a4366eddd767c0f81219f8
-
SHA1
636af68f0da1186fcf6d7d464105b7c163739090
-
SHA256
26aec1cbb07ba1ee713145f26cd24aad7bd7953649ed2060481317b2d53d428f
-
SHA512
d477323ceb34a8783d048ea6a2bbce0e9be15862de7ebaa38e5769d6f882b4c4a2d880cbf954b11b583fe6b0a8a13eeb9a5bd6a542076bb88d2e8e8a3307964f
-
SSDEEP
3072:TwZSQpKa3VGVnpUlCz764/9xpEdBqbZuwq5iGeeqovh:+JVGpxx9bKwZuwq4Geeqo
Malware Config
Signatures
-
Gh0st RAT payload 6 IoCs
resource yara_rule behavioral1/memory/2980-0-0x0000000000400000-0x0000000000426000-memory.dmp family_gh0strat behavioral1/files/0x000d000000016009-6.dat family_gh0strat behavioral1/files/0x000d000000016009-9.dat family_gh0strat behavioral1/memory/2980-12-0x0000000000400000-0x0000000000426000-memory.dmp family_gh0strat behavioral1/memory/2980-11-0x0000000010000000-0x000000001001C000-memory.dmp family_gh0strat behavioral1/files/0x0007000000012118-15.dat family_gh0strat -
Deletes itself 1 IoCs
pid Process 2696 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2696 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Pfrd\Mydrfrrrn.bmp 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe File created C:\Program Files (x86)\Pfrd\Mydrfrrrn.bmp 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 2980 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Token: SeRestorePrivilege 2980 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Token: SeBackupPrivilege 2980 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Token: SeRestorePrivilege 2980 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Token: SeBackupPrivilege 2980 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Token: SeRestorePrivilege 2980 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Token: SeBackupPrivilege 2980 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Token: SeRestorePrivilege 2980 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD599152cb59dd38e7e1bc2ff03ae56059b
SHA1758451ebabe5023558ce195a0782d5e7062d4bd6
SHA256f16d7041da1dfdeffefc8706b0b72b0ba574d4040eb873feeffd3311b5aa2a11
SHA512f76be8615744300a1e8242c4cff980a026c51e302cd726aff6729d3bdef50049f6a9ccc15e756e512f8c857b20def76705bebb3809421998f9f21215e99762bf
-
Filesize
143KB
MD579e8a259ee327d96db959b84c58d3fa9
SHA1631310382fe638c6d9cf03c8e7c7b67b46e0a609
SHA256726f4be2ecfdfe53daa907d42ed2187351059fddd1c1f489a8bb2f337d8831c8
SHA5122972591de4108d960bdeacc4425978bb94c665eef89fd7dcb05e7a66038a695e0bc028325f6bb98c53f954e3789f0c26f62549b494023747c29ad39e94eb40e0
-
Filesize
99B
MD507ef806e013c61b0d1c74ee1afd09071
SHA1e1825e857bfc4b54ed746f68bd7e56d77188a9f0
SHA256301e798c5f4930ebc3a10d9069fffdf2068522d725b0ac28fec12c98df47f88b
SHA5127d21e0959bf58077165b4cffb893145182e9e152dc3b08d9db7e3da65bb3e38a3e854cafd36956d4e530bf0c46fec4e7b3de20d719ffa22c5311bd6e7ca110ea
-
Filesize
10.7MB
MD57a2b154aa906aa1a5442b7a6aa7bced8
SHA1d005854af9befc9d1b303c9e26c977c64e0f758d
SHA2561e8e2104dd4e83c01a49d3f674d375f638926addab61779480f70cefcdad7ea5
SHA512126bb784f17f1ad7b0eece8a03aa1b01a3cf71f6dd147baf56027bb78c7651752649e127df68271f908a47c4335dc6765ce41b4473059d941f8aa9702d346218