Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/02/2025, 04:28
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe
-
Size
137KB
-
MD5
319457f48e0c52165f9bdd0fb53837da
-
SHA1
0573839f46a1d83c2f1e6b1dc976e1008006c1d8
-
SHA256
36ac25c2091b56bbd5407e2fc11666e02da1db030bfe391f07607bf5e1f95ddb
-
SHA512
55572b9b17ab0a014ab04919347b84d5265144ebe31f152d4ff4c6adc25e318bb6d593e00d80817c85e9ba18191840af3cc3f69204ce4090434b2e9d47cea3b0
-
SSDEEP
3072:c6JR+uNAEaC3KtYlG4tOLjzqch+ChaCraZE6UVhn/06zl/Xey:cgZNATdYlG4AzqE+CxruE6Ufn/V
Malware Config
Signatures
-
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral1/memory/1624-5-0x0000000000440000-0x000000000045E000-memory.dmp family_gh0strat behavioral1/files/0x0008000000016621-3.dat family_gh0strat behavioral1/memory/1032-13-0x0000000000400000-0x000000000041E000-memory.dmp family_gh0strat behavioral1/memory/1032-20-0x0000000000400000-0x000000000041E000-memory.dmp family_gh0strat behavioral1/files/0x0007000000016c3a-19.dat family_gh0strat -
Gh0strat family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys svchost.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll" server.exe -
Executes dropped EXE 1 IoCs
pid Process 1032 server.exe -
Loads dropped DLL 3 IoCs
pid Process 1624 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 1624 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 3020 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll server.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A759F3AE-18C2-4115-96EB-B25D1DC6AE01}\WpadNetworkName = "Network 3" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-14-0a-16-b9-9d\WpadDecisionTime = 401325419989db01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-14-0a-16-b9-9d\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A759F3AE-18C2-4115-96EB-B25D1DC6AE01}\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A759F3AE-18C2-4115-96EB-B25D1DC6AE01}\WpadDecisionTime = 401325419989db01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A759F3AE-18C2-4115-96EB-B25D1DC6AE01}\5e-14-0a-16-b9-9d svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0169000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-14-0a-16-b9-9d svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-14-0a-16-b9-9d\WpadDecisionReason = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A759F3AE-18C2-4115-96EB-B25D1DC6AE01} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A759F3AE-18C2-4115-96EB-B25D1DC6AE01}\WpadDecision = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2596 WINWORD.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2596 WINWORD.EXE 2596 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1624 wrote to memory of 2596 1624 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 30 PID 1624 wrote to memory of 2596 1624 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 30 PID 1624 wrote to memory of 2596 1624 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 30 PID 1624 wrote to memory of 2596 1624 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 30 PID 1624 wrote to memory of 1032 1624 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 31 PID 1624 wrote to memory of 1032 1624 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 31 PID 1624 wrote to memory of 1032 1624 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 31 PID 1624 wrote to memory of 1032 1624 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 31 PID 2596 wrote to memory of 2720 2596 WINWORD.EXE 35 PID 2596 wrote to memory of 2720 2596 WINWORD.EXE 35 PID 2596 wrote to memory of 2720 2596 WINWORD.EXE 35 PID 2596 wrote to memory of 2720 2596 WINWORD.EXE 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\爱情、经不起时间或距离的考验.doc"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2720
-
-
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1032
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5ac9aeb5e3cc8392ac924397c812c96ae
SHA139c4c1ff0c939ce3e4ea9a30781f72110bda01e2
SHA2566420c2c2176a1308573275dd6fe21ac1f1c11d1c046c3fce2b74381233262049
SHA51253df2938f0731721202cb81ffa4aeab4432ba2aa7ff2d9a585729e2e271c0ef472eccc284590088024fdb1ed75598168462b18baf584459056902d60dd6f5d18
-
Filesize
99KB
MD57fd4b6c2d3d37e4d6478eb0a0c6a8661
SHA1723eedb5cc3f7a05ae08d82e4d4fb25855e13301
SHA256fa0a6f47ab8d501e3620dd673ebfe97fce17e611fc29cea111185f4e0ba7f34a
SHA512c49adeb4e0d8733aa9bc4209ec95f558c90aae9e5ccfc0a51d59b465b352b4e2ab83a78de5fee42a89b277f59f07da73c15c5c341cc48dede7c697e6dd3623a8
-
Filesize
111KB
MD5adcde10f51f6bd5bf78adf6fcee9d536
SHA1449a4df49d11dd81408cbde26fbf9f7ec05aba12
SHA25691e6cf834dbaf6e3e74c300b2d5963bb638c2503c4678551a7f73c40294e99b3
SHA5129105c71ed42b5bb7a83ba25fa3fc062412d6c983f6aaae145ec51a19f3ba054b6175ac33603f9194bb9882d8a6468512db4997cbed36ec88fa57f92785ef7e4a