Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 12:34
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Resource
win7-20240708-en
General
-
Target
JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
-
Size
82KB
-
MD5
3f9d6dcc5ecc15be183c3b3f999bd8d8
-
SHA1
ad8f0bfa542fe20335967fc0ccc20b32524e7a1c
-
SHA256
55088f908115710fad9e9d04efe9eec06ee0a16bca9453b75683f452cbd72114
-
SHA512
4bc5305f63a879cc4003a949f1381cc1c55fbeda97b53453e2651267cc196664f4a5c3623327fa893bc96973d145b9ac8bae7c88f92d81aeb4eb53ae7720eb81
-
SSDEEP
1536:Io48KAfHKom0RK2zuOpfS4BL99L9Rm8hOW7bdQdkA7ZrrAPh:DWeqovR5zuOpfJnL9f5bOdT7ZXi
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral1/memory/1128-5-0x0000000000400000-0x000000000043A000-memory.dmp family_gh0strat behavioral1/files/0x000a0000000195c4-9.dat family_gh0strat behavioral1/files/0x000a0000000195c4-12.dat family_gh0strat behavioral1/memory/1128-13-0x0000000010000000-0x000000001001C000-memory.dmp family_gh0strat behavioral1/files/0x000a0000000120d5-16.dat family_gh0strat -
Gh0strat family
-
Deletes itself 1 IoCs
pid Process 2592 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2592 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Ubfe\Hmsacbojb.jpg JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe File created C:\Program Files (x86)\Ubfe\Hmsacbojb.jpg JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe 2592 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 1128 JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe Token: SeRestorePrivilege 1128 JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe Token: SeBackupPrivilege 1128 JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe Token: SeRestorePrivilege 1128 JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe Token: SeBackupPrivilege 1128 JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe Token: SeRestorePrivilege 1128 JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe Token: SeBackupPrivilege 1128 JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe Token: SeRestorePrivilege 1128 JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD592ae02dac610f816fb2de1f992e72916
SHA1adbfdcd5f9a227df039da2998f24754cfe03c0c7
SHA256535e1fa0e2a27ba57113908f881cd0baa50b5f38fe9de6ea40fd5bd9b2736f4d
SHA512506dea9755a720c9ef25cbaa6441cb4bd39f05048ea5b8385df68f8aca7969b1f372ad36c988cae6e4a5b7eb508424464367d0dfe9f78afbb1419d84bf64f15f
-
Filesize
265KB
MD5b9a2bd63d7899c77ba1fd380515977be
SHA126955657efa20ea450a1cdd9697993b5eaeae0fc
SHA256ccd23f4b02d5ef5b61fff7ac77878d35759150f1f4af6d5343aeb4413d2d4a3d
SHA51226e193cb219a09af2a27d38d5283db93093c475da4bb52b9ad1611259f5303735d0ba44b20d2fc94c0b8a3c0dc2def61ef534408e962bc639714d5f051236d44
-
Filesize
99B
MD5956204eaf359f7daf010daf84dc3fd73
SHA10ed130939cadc2df66d2dbc76418fff8300bab80
SHA256ac3832e6187bd867e928c3d0f051ff934b8a66a855b72181c24678b9c8fbb7d8
SHA512e8941aa58637ef4ae2eaca85c439a99ca001b9cf7d99c187c6530ba6be4cbb69a769400cc409804aca41a23cdee6f965820132c28c05b2afeed33efef7b8e9d3
-
Filesize
11.2MB
MD5807a2389f751c5da53e90487860d48b5
SHA18e1dd95fc6d0bf032cc2b803971c5db9230479c9
SHA256aa07322c57d613670af9fcd29f1bb656bc58a87337810616727ff33f707755eb
SHA512012247a9dd1936ef91ab6aaf5c5d5ceb43bec33f4499a9bebfb29423fde9880bc5e8ff08700ded0ab44bfa7ba34e7514223b587c61e55b198095ae5e5398c10b