Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 04:28
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe
-
Size
137KB
-
MD5
319457f48e0c52165f9bdd0fb53837da
-
SHA1
0573839f46a1d83c2f1e6b1dc976e1008006c1d8
-
SHA256
36ac25c2091b56bbd5407e2fc11666e02da1db030bfe391f07607bf5e1f95ddb
-
SHA512
55572b9b17ab0a014ab04919347b84d5265144ebe31f152d4ff4c6adc25e318bb6d593e00d80817c85e9ba18191840af3cc3f69204ce4090434b2e9d47cea3b0
-
SSDEEP
3072:c6JR+uNAEaC3KtYlG4tOLjzqch+ChaCraZE6UVhn/06zl/Xey:cgZNATdYlG4AzqE+CxruE6Ufn/V
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral2/files/0x0008000000023c8e-12.dat family_gh0strat behavioral2/memory/4836-15-0x0000000000400000-0x000000000041E000-memory.dmp family_gh0strat behavioral2/memory/4836-32-0x0000000000400000-0x000000000041E000-memory.dmp family_gh0strat behavioral2/files/0x0008000000023c8f-31.dat family_gh0strat -
Gh0strat family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys svchost.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityex.dll" server.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe -
Executes dropped EXE 1 IoCs
pid Process 4836 server.exe -
Loads dropped DLL 1 IoCs
pid Process 4168 svchost.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibilityex.dll server.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4896 WINWORD.EXE 4896 WINWORD.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 456 wrote to memory of 4896 456 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 86 PID 456 wrote to memory of 4896 456 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 86 PID 456 wrote to memory of 4836 456 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 87 PID 456 wrote to memory of 4836 456 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 87 PID 456 wrote to memory of 4836 456 JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_319457f48e0c52165f9bdd0fb53837da.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\爱情、经不起时间或距离的考验.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4896
-
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4836
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
111KB
MD5adcde10f51f6bd5bf78adf6fcee9d536
SHA1449a4df49d11dd81408cbde26fbf9f7ec05aba12
SHA25691e6cf834dbaf6e3e74c300b2d5963bb638c2503c4678551a7f73c40294e99b3
SHA5129105c71ed42b5bb7a83ba25fa3fc062412d6c983f6aaae145ec51a19f3ba054b6175ac33603f9194bb9882d8a6468512db4997cbed36ec88fa57f92785ef7e4a
-
Filesize
39KB
MD5ac9aeb5e3cc8392ac924397c812c96ae
SHA139c4c1ff0c939ce3e4ea9a30781f72110bda01e2
SHA2566420c2c2176a1308573275dd6fe21ac1f1c11d1c046c3fce2b74381233262049
SHA51253df2938f0731721202cb81ffa4aeab4432ba2aa7ff2d9a585729e2e271c0ef472eccc284590088024fdb1ed75598168462b18baf584459056902d60dd6f5d18
-
Filesize
99KB
MD57fd4b6c2d3d37e4d6478eb0a0c6a8661
SHA1723eedb5cc3f7a05ae08d82e4d4fb25855e13301
SHA256fa0a6f47ab8d501e3620dd673ebfe97fce17e611fc29cea111185f4e0ba7f34a
SHA512c49adeb4e0d8733aa9bc4209ec95f558c90aae9e5ccfc0a51d59b465b352b4e2ab83a78de5fee42a89b277f59f07da73c15c5c341cc48dede7c697e6dd3623a8