Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    129s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 15:09

General

  • Target

    e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe

  • Size

    188KB

  • MD5

    e2cfc6f8656c2ab1934d32cfab708c04

  • SHA1

    2e68f708e31fdf7dac196c20accc6f51f1ff652f

  • SHA256

    4037c6cbfedecaeab0b515c75aa8496d49020adefbd4dc10e0db2b9f69ce3e49

  • SHA512

    7521a8e4a4a7d67cefe398d8c6632e5cbf0cb2968ec22583544d7d3a185772ccc466e2fa7e50af21bc29958b579ae166224a24236fc6d67571ac454d8f490855

  • SSDEEP

    3072:DQbz3nYOihhTLZgVk4KPe7TAP8sdM57wgBbDNlP4mttAa8sOOCmM+R:DGYNhhvKqRWTsBdM7bBb3AKAQO8H

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e2cfc6f8656c2ab1934d32cfab708c04_JaffaCakes118.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2188
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k regsvc
    1⤵
      PID:3004
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs
      1⤵
      • Deletes itself
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2552

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \??\c:\progra~2\google\pyvho.hhn

      Filesize

      1.2MB

      MD5

      6185bec84eb42db063d6799fd20bcdf7

      SHA1

      432dbce215a722d2646518590caff68ea43a983c

      SHA256

      0460c23b2fa0bf3dbf7630b2ca6616b7e6e23577446e726fbdd0a7d7fa766476

      SHA512

      07641b4ba17a67ecfe4214f0e35b7cf3f632f8c5d9c7888e590531a2bfcfc3d4e492d251dcd5a5f1a5bac0996a9fde3d0fc0b62d75c90ee5ad40d5a4be3be6f1

    • memory/2188-1-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

    • memory/2188-6-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

    • memory/2552-9-0x0000000010000000-0x0000000010023000-memory.dmp

      Filesize

      140KB

    • memory/2552-11-0x0000000010000000-0x0000000010023000-memory.dmp

      Filesize

      140KB

    • memory/2552-10-0x0000000075DA0000-0x0000000075EB0000-memory.dmp

      Filesize

      1.1MB

    • memory/2552-14-0x0000000010000000-0x0000000010023000-memory.dmp

      Filesize

      140KB