Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 07:50
Behavioral task
behavioral1
Sample
JaffaCakes118_329bb80c7fa723185a97a1bc01c4c2b0.dll
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_329bb80c7fa723185a97a1bc01c4c2b0.dll
-
Size
102KB
-
MD5
329bb80c7fa723185a97a1bc01c4c2b0
-
SHA1
24433c62963377cda3072515316aaf1ee85888c7
-
SHA256
d374e23e9747ee0282b38b28a2dcd5624fdb6ed5c5d941460bd9004d33610b2c
-
SHA512
d8ece1098b0fe667ca5a25fe406704b1a561f983176811e28896742006bd173c86c3975a0dbf9bba19d7c7549fe23f0bf19f78d25bd4ef777a4f63b959e27087
-
SSDEEP
3072:CwySQpKa3VGVnpUlCz764/9xpElBqbZuwR5iGr:uJVGpxx9b6wZuwR4Gr
Malware Config
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000e000000023c75-3.dat family_gh0strat -
Gh0strat family
-
Loads dropped DLL 1 IoCs
pid Process 4468 svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Sbpc\Yiynbcxtb.bmp rundll32.exe File created C:\Program Files (x86)\Sbpc\Yiynbcxtb.bmp rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 1572 rundll32.exe Token: SeRestorePrivilege 1572 rundll32.exe Token: SeBackupPrivilege 1572 rundll32.exe Token: SeRestorePrivilege 1572 rundll32.exe Token: SeBackupPrivilege 1572 rundll32.exe Token: SeRestorePrivilege 1572 rundll32.exe Token: SeBackupPrivilege 1572 rundll32.exe Token: SeRestorePrivilege 1572 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4752 wrote to memory of 1572 4752 rundll32.exe 84 PID 4752 wrote to memory of 1572 4752 rundll32.exe 84 PID 4752 wrote to memory of 1572 4752 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_329bb80c7fa723185a97a1bc01c4c2b0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_329bb80c7fa723185a97a1bc01c4c2b0.dll,#12⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD541fe41e459452139b4aae01ed0ec9680
SHA12b493028e4e35db0a31f43533cc32e16b3ce1492
SHA256856a465fe43421ba219b83e82fc323967b95ecaeb468219022aaa4fe81336503
SHA5127cad1b45e7f8046d8a954fcb772be8e9498e577446a4152f77f9df846125200ea9928e0bc2300c6e166c8e5ae6d3646fe5dfbeca4aee457233772623e3a9c14a