Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 17:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_42130d5a7889059be4f6ffef613d7b86.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_42130d5a7889059be4f6ffef613d7b86.exe
-
Size
96KB
-
MD5
42130d5a7889059be4f6ffef613d7b86
-
SHA1
0dd11354487f05665517edcb7054a592f4ee48b6
-
SHA256
10fc1455dc00058a2ccf919a44ac1fb2b6bd3045a8f5498ac2d78637eff434c7
-
SHA512
038dcd97b92a1fabf9fbe3e75ca9cf10771e5deaef1f97913bd67a29c083ac9efeef5a9d087e8eb7a98ff0331cc85dda4acf3d33afbbeac7eb6044f2c509b1bc
-
SSDEEP
1536:mKFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prOVhEr/DcYWw:mQS4jHS8q/3nTzePCwNUh4E9OV2bNWw
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral2/files/0x000f000000023bd7-15.dat family_gh0strat behavioral2/memory/3728-17-0x0000000000400000-0x000000000044E2A4-memory.dmp family_gh0strat behavioral2/memory/4024-20-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/4624-25-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/4632-30-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat -
Gh0strat family
-
Deletes itself 1 IoCs
pid Process 3728 giwytxmuiw -
Executes dropped EXE 1 IoCs
pid Process 3728 giwytxmuiw -
Loads dropped DLL 3 IoCs
pid Process 4024 svchost.exe 4624 svchost.exe 4632 svchost.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\bfecrocxys svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\bwpjjlaalx svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\bwpjjlaalx svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 2796 4024 WerFault.exe 83 4436 4624 WerFault.exe 91 4580 4632 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_42130d5a7889059be4f6ffef613d7b86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language giwytxmuiw Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3728 giwytxmuiw 3728 giwytxmuiw -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeRestorePrivilege 3728 giwytxmuiw Token: SeBackupPrivilege 3728 giwytxmuiw Token: SeBackupPrivilege 3728 giwytxmuiw Token: SeRestorePrivilege 3728 giwytxmuiw Token: SeBackupPrivilege 4024 svchost.exe Token: SeRestorePrivilege 4024 svchost.exe Token: SeBackupPrivilege 4024 svchost.exe Token: SeBackupPrivilege 4024 svchost.exe Token: SeSecurityPrivilege 4024 svchost.exe Token: SeSecurityPrivilege 4024 svchost.exe Token: SeBackupPrivilege 4024 svchost.exe Token: SeBackupPrivilege 4024 svchost.exe Token: SeSecurityPrivilege 4024 svchost.exe Token: SeBackupPrivilege 4024 svchost.exe Token: SeBackupPrivilege 4024 svchost.exe Token: SeSecurityPrivilege 4024 svchost.exe Token: SeBackupPrivilege 4024 svchost.exe Token: SeRestorePrivilege 4024 svchost.exe Token: SeBackupPrivilege 4624 svchost.exe Token: SeRestorePrivilege 4624 svchost.exe Token: SeBackupPrivilege 4624 svchost.exe Token: SeBackupPrivilege 4624 svchost.exe Token: SeSecurityPrivilege 4624 svchost.exe Token: SeSecurityPrivilege 4624 svchost.exe Token: SeBackupPrivilege 4624 svchost.exe Token: SeBackupPrivilege 4624 svchost.exe Token: SeSecurityPrivilege 4624 svchost.exe Token: SeBackupPrivilege 4624 svchost.exe Token: SeBackupPrivilege 4624 svchost.exe Token: SeSecurityPrivilege 4624 svchost.exe Token: SeBackupPrivilege 4624 svchost.exe Token: SeRestorePrivilege 4624 svchost.exe Token: SeBackupPrivilege 4632 svchost.exe Token: SeRestorePrivilege 4632 svchost.exe Token: SeBackupPrivilege 4632 svchost.exe Token: SeBackupPrivilege 4632 svchost.exe Token: SeSecurityPrivilege 4632 svchost.exe Token: SeSecurityPrivilege 4632 svchost.exe Token: SeBackupPrivilege 4632 svchost.exe Token: SeBackupPrivilege 4632 svchost.exe Token: SeSecurityPrivilege 4632 svchost.exe Token: SeBackupPrivilege 4632 svchost.exe Token: SeBackupPrivilege 4632 svchost.exe Token: SeSecurityPrivilege 4632 svchost.exe Token: SeBackupPrivilege 4632 svchost.exe Token: SeRestorePrivilege 4632 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2260 wrote to memory of 3728 2260 JaffaCakes118_42130d5a7889059be4f6ffef613d7b86.exe 82 PID 2260 wrote to memory of 3728 2260 JaffaCakes118_42130d5a7889059be4f6ffef613d7b86.exe 82 PID 2260 wrote to memory of 3728 2260 JaffaCakes118_42130d5a7889059be4f6ffef613d7b86.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42130d5a7889059be4f6ffef613d7b86.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42130d5a7889059be4f6ffef613d7b86.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\users\admin\appdata\local\giwytxmuiw"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42130d5a7889059be4f6ffef613d7b86.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_42130d5a7889059be4f6ffef613d7b86.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 10922⤵
- Program crash
PID:2796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4024 -ip 40241⤵PID:5020
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 10962⤵
- Program crash
PID:4436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4624 -ip 46241⤵PID:4772
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 8882⤵
- Program crash
PID:4580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4632 -ip 46321⤵PID:2280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23.1MB
MD50ba21f4f2e37f1293536551873c6b1cd
SHA18f6a2b60e81974c147607e3f3b4ae0c46e2ac2bd
SHA256595979108c95bc1f2fb74925448c82f0eba57622d5ddee40ae7da9e52749e614
SHA512718ff073412287188b6607b1fc3e90d68ec78451100cc48029e204cb86c7d34ed1293a63155210034ea10d05d6cbdfb5ecac8d3c05a736cb4158612e29ae6a9b
-
Filesize
202B
MD5a5dce2fa756ff143709605803a6eb99c
SHA10c4ea4d576fa923facfb9c2e95e76b3ba8be5e3c
SHA25634c1c50f97cae9882e58ea945f41e0b1383428a6ccb05e30a52e9082104cb0bc
SHA5121d5110451d1d3a8e9b73a625c43d8e7d4965606585a7a13ef21e34642e09b7f3487f2b0b1ffa1e5c7240767450ffeecde9ee1b5b7f50670036ece01539519ed4
-
Filesize
303B
MD5d1e7847dd9a0ac6ff25f04d23395d202
SHA10f74f60f67842bb1ee04f8bf9f077e5d88fa649f
SHA256dfc88345d32ff824f866c3d961b5bc4ea645451d2d127d15639fa2aafc67798c
SHA512e1b9584cbb3b17a1a8bca0bda465afa9e5bc434b03be269bedca5aadfd72a264d306c05686d7cddb2fc5f0911242b5eeb8e46dcb78493203e93b463d44fec572
-
Filesize
22.0MB
MD5bd7cdb7964c980da7d6b5d009260f7bd
SHA18acf4922110a920e0d697e70db10700af7cddfdb
SHA256a6bbcfeb64be4a91d253dc869f3ecdefb9933d3f5bc5be901479c67058f9c3fd
SHA512b4c65cff42cf634013d4cb4a5f33587811070fea5d0b4fe9e6197691ce2d2c18f640c3679d3acf163f6d0454964e85030bea1c3aa6bc9510a398b1610f120ac3