Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/02/2025, 07:50
Behavioral task
behavioral1
Sample
JaffaCakes118_329bb80c7fa723185a97a1bc01c4c2b0.dll
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_329bb80c7fa723185a97a1bc01c4c2b0.dll
-
Size
102KB
-
MD5
329bb80c7fa723185a97a1bc01c4c2b0
-
SHA1
24433c62963377cda3072515316aaf1ee85888c7
-
SHA256
d374e23e9747ee0282b38b28a2dcd5624fdb6ed5c5d941460bd9004d33610b2c
-
SHA512
d8ece1098b0fe667ca5a25fe406704b1a561f983176811e28896742006bd173c86c3975a0dbf9bba19d7c7549fe23f0bf19f78d25bd4ef777a4f63b959e27087
-
SSDEEP
3072:CwySQpKa3VGVnpUlCz764/9xpElBqbZuwR5iGr:uJVGpxx9b6wZuwR4Gr
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000c000000015cd0-3.dat family_gh0strat -
Gh0strat family
-
Loads dropped DLL 1 IoCs
pid Process 2192 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Sbpc\Yiynbcxtb.bmp rundll32.exe File created C:\Program Files (x86)\Sbpc\Yiynbcxtb.bmp rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe 2192 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 2588 rundll32.exe Token: SeRestorePrivilege 2588 rundll32.exe Token: SeBackupPrivilege 2588 rundll32.exe Token: SeRestorePrivilege 2588 rundll32.exe Token: SeBackupPrivilege 2588 rundll32.exe Token: SeRestorePrivilege 2588 rundll32.exe Token: SeBackupPrivilege 2588 rundll32.exe Token: SeRestorePrivilege 2588 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2588 2548 rundll32.exe 30 PID 2548 wrote to memory of 2588 2548 rundll32.exe 30 PID 2548 wrote to memory of 2588 2548 rundll32.exe 30 PID 2548 wrote to memory of 2588 2548 rundll32.exe 30 PID 2548 wrote to memory of 2588 2548 rundll32.exe 30 PID 2548 wrote to memory of 2588 2548 rundll32.exe 30 PID 2548 wrote to memory of 2588 2548 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_329bb80c7fa723185a97a1bc01c4c2b0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_329bb80c7fa723185a97a1bc01c4c2b0.dll,#12⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16.2MB
MD56f4a0e55ff55fb3333b671c647590455
SHA11e0811971cb31b5de5d94dc798ac70a1cd3d622f
SHA2563d636df4bda699745ab492a72fb2f97e381012ac4a07245d2db2c7d776d8d81d
SHA5127b28ebd094d4112763902e3aff9e12d17f4fc6b37602c4ec2f1b287dd06a404d43bf814b5f805de432546052fabe0ed2ff0e331b650f198db26563e0ec0eb1b3