Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 06:56
Behavioral task
behavioral1
Sample
JaffaCakes118_324fc6ff8730ecc7482f00886e563990.dll
Resource
win7-20250207-en
General
-
Target
JaffaCakes118_324fc6ff8730ecc7482f00886e563990.dll
-
Size
107KB
-
MD5
324fc6ff8730ecc7482f00886e563990
-
SHA1
8f3d625c020266a38248601fcad712fb5d94e356
-
SHA256
75bda978b53fc716d5ed485bd28f57aa97bde9c1cc135fd5955f488969d8b553
-
SHA512
28caa8e693ea50a44050dfdecee4bbbee6adabbd79cb7a9b11b4cb7f7c1a7e2bf467b7ee44f47d5934a708db8a673f18808f95359693036d2bedd1d4ba3c7eda
-
SSDEEP
3072:0Q0pNdwkC34OCs/4BguhYnpRlehwMibZvwvI:bIOCKUxwpbHBZvwvI
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0010000000023be6-3.dat family_gh0strat -
Gh0strat family
-
Loads dropped DLL 1 IoCs
pid Process 2892 svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\FileName.jpg rundll32.exe File created C:\Windows\FileName.jpg rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe 2892 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 60 rundll32.exe Token: SeRestorePrivilege 60 rundll32.exe Token: SeBackupPrivilege 60 rundll32.exe Token: SeRestorePrivilege 60 rundll32.exe Token: SeBackupPrivilege 60 rundll32.exe Token: SeRestorePrivilege 60 rundll32.exe Token: SeBackupPrivilege 60 rundll32.exe Token: SeRestorePrivilege 60 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5076 wrote to memory of 60 5076 rundll32.exe 85 PID 5076 wrote to memory of 60 5076 rundll32.exe 85 PID 5076 wrote to memory of 60 5076 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_324fc6ff8730ecc7482f00886e563990.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_324fc6ff8730ecc7482f00886e563990.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.3MB
MD507f5d53e5eb5e4609634b5519f6548a1
SHA178efa4da0eb397a9d3aea2d2cda734d13071310e
SHA25695251301d2f2b96074d5dfb31ce6a0d27ee82aed02539d83291797e464a7c15b
SHA5127e91d76882fac8adf43bffaadc52c80c40b21ebb38ac0de97a1c90c8ca4be656cb13f1cfd2890be3fbf0da8c82493abc57a6ee3944913310ed422b6f5047d93a