Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2025, 06:18
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
-
Size
951KB
-
MD5
47bc7aa23e046580e54a596f2301f73a
-
SHA1
19f375d03b5a2d1fc8c05f18ebc2bb17304f54f0
-
SHA256
a35881e98b0df8d24eea1b78852ec6921ebcf0cf16bfeafd5da3453bdc4fc308
-
SHA512
46733f43604a26e0eed422b2fb6187e694edeb0311ccf4fc2ac939d80544a172bd3c69112553c234a0d02ce63ac906244e09db7777af0ad7d2031fd44c272509
-
SSDEEP
24576:hdufRX5CR3lXuOV2VfBEC1pGBWrvXABdswIo5Ao:hdUI3NNC1pHvwt
Malware Config
Signatures
-
Gh0st RAT payload 11 IoCs
resource yara_rule behavioral2/memory/2552-8-0x0000000000400000-0x000000000060C000-memory.dmp family_gh0strat behavioral2/memory/2552-9-0x0000000000400000-0x000000000060C000-memory.dmp family_gh0strat behavioral2/memory/2552-10-0x0000000000400000-0x000000000060C000-memory.dmp family_gh0strat behavioral2/memory/2552-14-0x0000000000400000-0x000000000060C000-memory.dmp family_gh0strat behavioral2/memory/3616-21-0x0000000000400000-0x000000000060C000-memory.dmp family_gh0strat behavioral2/memory/3616-20-0x0000000000400000-0x000000000060C000-memory.dmp family_gh0strat behavioral2/memory/3616-23-0x0000000000400000-0x000000000060C000-memory.dmp family_gh0strat behavioral2/memory/3616-24-0x0000000000400000-0x000000000060C000-memory.dmp family_gh0strat behavioral2/memory/3616-22-0x0000000000400000-0x000000000060C000-memory.dmp family_gh0strat behavioral2/files/0x0008000000023bc3-29.dat family_gh0strat behavioral2/memory/3616-27-0x0000000000400000-0x000000000060C000-memory.dmp family_gh0strat -
Gh0strat family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ inldtepix.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9867BCD-B791-403d-B70A-E8956A09C1EE} JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9867BCD-B791-403d-B70A-E8956A09C1EE}\stubpath = "C:\\Windows\\system32\\inldtepix.exe" JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe -
Executes dropped EXE 1 IoCs
pid Process 3616 inldtepix.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine inldtepix.exe -
Loads dropped DLL 1 IoCs
pid Process 3916 userinit.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\inldtepix.exe JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe File opened for modification C:\Windows\SysWOW64\inldtepix.exe_lang.ini JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2552 JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe 3616 inldtepix.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inldtepix.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language userinit.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2552 JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe 2552 JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe 2552 JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe 2552 JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe 3616 inldtepix.exe 3616 inldtepix.exe 3616 inldtepix.exe 3616 inldtepix.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2552 JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe Token: SeDebugPrivilege 3616 inldtepix.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2552 wrote to memory of 3616 2552 JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe 82 PID 2552 wrote to memory of 3616 2552 JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe 82 PID 2552 wrote to memory of 3616 2552 JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe 82 PID 3616 wrote to memory of 3916 3616 inldtepix.exe 83 PID 3616 wrote to memory of 3916 3616 inldtepix.exe 83 PID 3616 wrote to memory of 3916 3616 inldtepix.exe 83 PID 3616 wrote to memory of 3916 3616 inldtepix.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Boot or Logon Autostart Execution: Active Setup
- Identifies Wine through registry keys
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\inldtepix.exeC:\Windows\system32\inldtepix.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\userinit.exeuserinit.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3916
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD5438a0ef8a82ada2a12b88a5ced2210a9
SHA1835ad257a40bd09008a4e4f3a7fb29ed72fa3ad9
SHA256dd72a35f8bde47093b96db75ada55f1ca91400ca0dabebdedcf82501c742ed24
SHA51209501ff5cb94518f2dc08746e302810326b8a734a7f6acdd315f80acf44dafe860c50a9d891d2fe4df4fa845848e633a3b9fdddecb065bfaeb98bcf5dc739f74
-
Filesize
951KB
MD505e3454f3a5527b8cbd500c1c46107a8
SHA183e2f6761de0ba62d27f1e766e5ada9b17bda8de
SHA256c7c54260a4f5f938053dcea746cdacea0a48504116369d7b0cedffa5a7f37a41
SHA512117031b33bc6c21728dcb74dcadedbf60d77c79087a94cb38c6ef5a23a9534650659d6930920006d4abb3acee23ccc2ef03ce71120d8de209d002dc5cf458d32