Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
28/02/2025, 06:56
Behavioral task
behavioral1
Sample
JaffaCakes118_324fc6ff8730ecc7482f00886e563990.dll
Resource
win7-20250207-en
General
-
Target
JaffaCakes118_324fc6ff8730ecc7482f00886e563990.dll
-
Size
107KB
-
MD5
324fc6ff8730ecc7482f00886e563990
-
SHA1
8f3d625c020266a38248601fcad712fb5d94e356
-
SHA256
75bda978b53fc716d5ed485bd28f57aa97bde9c1cc135fd5955f488969d8b553
-
SHA512
28caa8e693ea50a44050dfdecee4bbbee6adabbd79cb7a9b11b4cb7f7c1a7e2bf467b7ee44f47d5934a708db8a673f18808f95359693036d2bedd1d4ba3c7eda
-
SSDEEP
3072:0Q0pNdwkC34OCs/4BguhYnpRlehwMibZvwvI:bIOCKUxwpbHBZvwvI
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/files/0x000b0000000120ea-3.dat family_gh0strat behavioral1/memory/2116-4-0x0000000010000000-0x000000001001E000-memory.dmp family_gh0strat -
Gh0strat family
-
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\FileName.jpg rundll32.exe File created C:\Windows\FileName.jpg rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe 2116 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 2608 rundll32.exe Token: SeRestorePrivilege 2608 rundll32.exe Token: SeBackupPrivilege 2608 rundll32.exe Token: SeRestorePrivilege 2608 rundll32.exe Token: SeBackupPrivilege 2608 rundll32.exe Token: SeRestorePrivilege 2608 rundll32.exe Token: SeBackupPrivilege 2608 rundll32.exe Token: SeRestorePrivilege 2608 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2608 2424 rundll32.exe 30 PID 2424 wrote to memory of 2608 2424 rundll32.exe 30 PID 2424 wrote to memory of 2608 2424 rundll32.exe 30 PID 2424 wrote to memory of 2608 2424 rundll32.exe 30 PID 2424 wrote to memory of 2608 2424 rundll32.exe 30 PID 2424 wrote to memory of 2608 2424 rundll32.exe 30 PID 2424 wrote to memory of 2608 2424 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_324fc6ff8730ecc7482f00886e563990.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_324fc6ff8730ecc7482f00886e563990.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD54ce80c738e6da202f5295feff3063616
SHA11ddcbfe3476c93c5949ad9c9caab96d6c3a8713e
SHA25651534984af81a7790cfd6da1b313cb82b281a91ce46507dae188d0d3a64f2c92
SHA51218eb78775f98c6e272ca1e0f3b532ec5909e81187af2e4f92776af0782254c22d0ea4fdce91d1906991586edaaecc4a71fcf6bd247501782ceb3bf75c5c04cf0