Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
28/01/2025, 08:58
Behavioral task
behavioral1
Sample
JaffaCakes118_4916ebcb1d4fc22bb0a9d8f0114b5edc.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4916ebcb1d4fc22bb0a9d8f0114b5edc.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4916ebcb1d4fc22bb0a9d8f0114b5edc.exe
-
Size
176KB
-
MD5
4916ebcb1d4fc22bb0a9d8f0114b5edc
-
SHA1
916cde50f58a8b94be7c29ae16965f5b194657c6
-
SHA256
20c016f775260c8348004416a0757c716d76ce80328e98614fa52e699e232bc1
-
SHA512
4b70d59ce3ba4f056059afbb365ea655cd7ed5616ca665cfd7fbdfbaf354c8aca384cbb20a8cad3600cf2ea64810c464ffe36132988bb37003e4a81cb1baa158
-
SSDEEP
3072:RcYcYKEzcW526y6hs6PhwtqrorsVlkTEIcy1O4F3JhMWIknqX5d+vIjc8UW:RcBYKEz557e2VroYoTU4JOWnS5d+v0cu
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000c000000015d2a-17.dat family_gh0strat -
Gh0strat family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2284 rundll32.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Rspdates Apxplicatioan\Parameters\ServiceDll JaffaCakes118_4916ebcb1d4fc22bb0a9d8f0114b5edc.exe -
Deletes itself 1 IoCs
pid Process 2284 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 1884 svchost.exe 2284 rundll32.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\hfsetemp.ini JaffaCakes118_4916ebcb1d4fc22bb0a9d8f0114b5edc.exe File created C:\Windows\Svchost.txt JaffaCakes118_4916ebcb1d4fc22bb0a9d8f0114b5edc.exe File created C:\Windows\Svchost.reg JaffaCakes118_4916ebcb1d4fc22bb0a9d8f0114b5edc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4916ebcb1d4fc22bb0a9d8f0114b5edc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe 1884 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2612 JaffaCakes118_4916ebcb1d4fc22bb0a9d8f0114b5edc.exe Token: SeRestorePrivilege 2612 JaffaCakes118_4916ebcb1d4fc22bb0a9d8f0114b5edc.exe Token: SeDebugPrivilege 1884 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1884 wrote to memory of 2284 1884 svchost.exe 31 PID 1884 wrote to memory of 2284 1884 svchost.exe 31 PID 1884 wrote to memory of 2284 1884 svchost.exe 31 PID 1884 wrote to memory of 2284 1884 svchost.exe 31 PID 1884 wrote to memory of 2284 1884 svchost.exe 31 PID 1884 wrote to memory of 2284 1884 svchost.exe 31 PID 1884 wrote to memory of 2284 1884 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4916ebcb1d4fc22bb0a9d8f0114b5edc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4916ebcb1d4fc22bb0a9d8f0114b5edc.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "c:\windows\system32\winnie.cmd",EASTNOD Rspdates Apxplicatioan2⤵
- Blocklisted process makes network request
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2284
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
365B
MD50c6fb48ec14cf0535df55de346aad98a
SHA13ded5fa6488a3fbc0ae8ffa8269732d17cbfb82c
SHA256b59f28f8e20f0eb15cae824246fd105d3e5a912fb94355e096efdce3165c29f8
SHA5122fbad828180479c22a9f9496f322c4763c225724081c956cad9b9ba0da71121db664071093a1074ed9c18db926717c0cafcfe6e82e4eb9009bdb271238464909
-
Filesize
1.1MB
MD567d1b4b96ce31e39c35cc856a0b48e80
SHA193bd97523fe9ddde52187bb52bcb31d35bf9d4c5
SHA256c74fd5340fb0f9c3fecf7817c56e2fe7699fc3d5814ced2ce869f65edd24c975
SHA512eaa25222bd9c6d5718758e5b55476fb4a9fe9e9ba120c4607e7cb71ea63fde26a8b8b2560c548ab82cc4a233e0d1ec5f1266ae19fada9360f358425d263cb0f1