Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 02:57
Behavioral task
behavioral1
Sample
3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe
-
Size
134KB
-
MD5
3d6b6f6ba4a4366eddd767c0f81219f8
-
SHA1
636af68f0da1186fcf6d7d464105b7c163739090
-
SHA256
26aec1cbb07ba1ee713145f26cd24aad7bd7953649ed2060481317b2d53d428f
-
SHA512
d477323ceb34a8783d048ea6a2bbce0e9be15862de7ebaa38e5769d6f882b4c4a2d880cbf954b11b583fe6b0a8a13eeb9a5bd6a542076bb88d2e8e8a3307964f
-
SSDEEP
3072:TwZSQpKa3VGVnpUlCz764/9xpEdBqbZuwq5iGeeqovh:+JVGpxx9bKwZuwq4Geeqo
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral2/memory/4984-0-0x0000000000400000-0x0000000000426000-memory.dmp family_gh0strat behavioral2/files/0x000d000000023b6d-3.dat family_gh0strat behavioral2/files/0x000f000000023b8d-12.dat family_gh0strat behavioral2/memory/4984-13-0x0000000000400000-0x0000000000426000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
pid Process 1996 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 4984 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe 1996 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Pfrd\Mydrfrrrn.bmp 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Pfrd\Mydrfrrrn.bmp 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe 1996 svchost.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 4984 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Token: SeRestorePrivilege 4984 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Token: SeBackupPrivilege 4984 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Token: SeRestorePrivilege 4984 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Token: SeBackupPrivilege 4984 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Token: SeRestorePrivilege 4984 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Token: SeBackupPrivilege 4984 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe Token: SeRestorePrivilege 4984 3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD599152cb59dd38e7e1bc2ff03ae56059b
SHA1758451ebabe5023558ce195a0782d5e7062d4bd6
SHA256f16d7041da1dfdeffefc8706b0b72b0ba574d4040eb873feeffd3311b5aa2a11
SHA512f76be8615744300a1e8242c4cff980a026c51e302cd726aff6729d3bdef50049f6a9ccc15e756e512f8c857b20def76705bebb3809421998f9f21215e99762bf
-
Filesize
99B
MD5a08b090163d53b615752ef73269ddbf6
SHA1eb7c6c269e37a44496ce0d184c1ce463ee6c37c5
SHA2565e70c9a45fbdf8718d86e0826cfe4079b1146c91178f0b62bda47e154dee599c
SHA5125f77ddea656cd1909d2ba6d7568d30706da032870557cdd8c83e2c525c6acfc43943dfc512bde6292373d8e6fb98889e6f8ee267734cb25c6add66a0e37cb747
-
Filesize
3.3MB
MD53983ff80abf7760c3063bffe9cc792ff
SHA123dbd2dc692e8fbb63610978980d0dd752e72d3c
SHA2561b559eb728aed85744331cce48c276d962d86e96805e7eebc2e104f431b8c5a8
SHA512a57d2ca8461c3b37ce31fd8fb8c11ca17ce18b3bae2428b1f2c0b42447201db6532fb1a87380717ac86ed10a7c09e6fad59b2f7366604a69b4008e94348dc3cc