Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/01/2025, 07:35
Behavioral task
behavioral1
Sample
JaffaCakes118_48690b4ff7bf12c85b0ebdb4ac979f22.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_48690b4ff7bf12c85b0ebdb4ac979f22.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_48690b4ff7bf12c85b0ebdb4ac979f22.exe
-
Size
142KB
-
MD5
48690b4ff7bf12c85b0ebdb4ac979f22
-
SHA1
99082d66f6532458b23670b2a86de093e489bed5
-
SHA256
0d2b25eaf2d9794fa21b4d61d6ceae3357d57ced31456e8d8f43f6faf0fb6014
-
SHA512
7749a0284a1c27f23e3470c68a67a191551d06e01d8eb9866f46952740f0d5514d9159d7f0a4e801cf0089c687197c253952a8c175cc3b9e1b19a3bb3d2d0348
-
SSDEEP
3072:0CjbCCzKxkRMLiVUdx/j9dyDt+WDjNM7YKQo0iq/k/5F98:0CjmCOxkRlVmj9wFMsy0iqMW
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral1/memory/576-0-0x0000000000400000-0x0000000000425000-memory.dmp family_gh0strat behavioral1/files/0x00070000000195c5-2.dat family_gh0strat behavioral1/memory/2468-5-0x0000000010000000-0x0000000010021000-memory.dmp family_gh0strat behavioral1/memory/576-4-0x0000000000400000-0x0000000000425000-memory.dmp family_gh0strat behavioral1/memory/2468-6-0x0000000010000000-0x0000000010021000-memory.dmp family_gh0strat -
Gh0strat family
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\360svc\Parameters\ServiceDll = "C:\\Documents and Settings\\Local User\\windmx.dll" JaffaCakes118_48690b4ff7bf12c85b0ebdb4ac979f22.exe -
Deletes itself 1 IoCs
pid Process 2468 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2468 svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_48690b4ff7bf12c85b0ebdb4ac979f22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 576 JaffaCakes118_48690b4ff7bf12c85b0ebdb4ac979f22.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48690b4ff7bf12c85b0ebdb4ac979f22.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48690b4ff7bf12c85b0ebdb4ac979f22.exe"1⤵
- Server Software Component: Terminal Services DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:576
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD56c9d87c04669378a7f6d52c1578b89c2
SHA17e7a9b566ede254b15f09f1a3a36c5f39c75acde
SHA256b81e351e8779f72b239eed4853c68b8eab5b1a4ebf590804dcbabe7ae3f232fe
SHA512563e5da85c88ab93f923cf2c381f90293c65395643c7a9b1b21bcfba7bb7da94fec02284351b36929cff5109e5d7859806964cb286c847ff1953c0f7ae59482d