Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2025, 06:03
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe
-
Size
260KB
-
MD5
479cbaa427e1a2d78eec239b2361c99a
-
SHA1
a2981d0743a5f48c309ac1f10d41eda102564b99
-
SHA256
50fafb79798fd6c4d3a7a85376c05d44234de6f30846dd215f2b632804cd6b74
-
SHA512
b18aa1980f6457f4870aa7e6970e2f62208b0c0d726b1645072d1f6b8325b55747ab3cd583ccf4760a62b3ca793ff66bfe3641afa0487a4c0eed6ec2955ac429
-
SSDEEP
6144:Ii8Dee6ShFGDksOFilBOvjuuDkYJCduMVx:z8K40DksoilqjuukndPj
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b4e-6.dat family_gh0strat -
Gh0strat family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 8 2484 rundll32.exe 40 2484 rundll32.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Microsoft NetMSSQL\Parameters\ServiceDll = "C:\\Windows\\system32\\mte578126m.dll" JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe -
Loads dropped DLL 3 IoCs
pid Process 1916 JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe 5036 svchost.exe 2484 rundll32.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\RCX8397.tmp JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe File opened for modification C:\Windows\SysWOW64\mte578126m.dll JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe File created C:\Windows\SysWOW64\mte578126m.dll JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1916 JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe 1916 JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5036 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1916 JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe 1916 JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1916 wrote to memory of 3276 1916 JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe 83 PID 1916 wrote to memory of 3276 1916 JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe 83 PID 1916 wrote to memory of 3276 1916 JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe 83 PID 5036 wrote to memory of 2484 5036 svchost.exe 85 PID 5036 wrote to memory of 2484 5036 svchost.exe 85 PID 5036 wrote to memory of 2484 5036 svchost.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe"1⤵
- Server Software Component: Terminal Services DLL
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_479cbaa427e1a2d78eec239b2361c99a.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3276
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Microsoft NetMSSQL"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\mte578126m.dll, neco2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD55691ee2e85e2da9f1b1d707f839fb907
SHA15acdd6a22510ea04a69a6b42b72e2b271bc9b671
SHA25687cf0d5d09db1543a96d79762ac48fff75e029b92589162bb0889f994181b09d
SHA5126850fcf0b3d0580733ee489d9098aee22b9042a592d6793b35137b8612468a7dc930690a0b5d0ce6777d43575ad39dafdfee61b21e197d2804a257fa1116907c