Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/04/2024, 00:00

General

  • Target

    e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe

  • Size

    164KB

  • MD5

    e3993f03c3342004c6ae7052e734f38b

  • SHA1

    77b4ff90f5ed1b71f96bf5c09587e25cf1c22f30

  • SHA256

    9247469559d064e187b283065a2d04192199301e69c8bd384f009269742d8add

  • SHA512

    30d32bb596e2a7cf8f10d485d83862bea9744e058a2565e31f2f173c028b20d53c16cced1346fa015d7c23eb9d570a5a952ece2d0df9306e71a9bf71fd61dd85

  • SSDEEP

    3072:E78Oext9OF4Q29X93I/bUH9B185mkfLyMOxyIPr7h8ISQsGg:EAOext95n9GS9jiJfLhOxyIz98ISQsGg

Malware Config

Signatures

  • Gh0st RAT payload 6 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Drops file in Drivers directory 2 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e3993f03c3342004c6ae7052e734f38b_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Drops file in System32 directory
    PID:3052
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k neTsvcs
    1⤵
    • Drops file in Drivers directory
    • Deletes itself
    • Loads dropped DLL
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\install.tmp

    Filesize

    84B

    MD5

    0a7fc6c86175abe9e7fea57b2e6a25f1

    SHA1

    a89f88770327023f06ed1f8a0f9be938052bd1c7

    SHA256

    6f58db460257191921e8ab0d29c91ea200f0417c58040701aa3b20f9529a12e1

    SHA512

    de2078a99760ae69a6236ffec2fa7191b52267636195abc297f9c41db6cdd8ebd24ea800d612f26d72a270b34dd902f24b9723d61452b93ec53c51577eaa6314

  • \Users\Admin\AppData\Local\Temp\dll.tmp

    Filesize

    124KB

    MD5

    8be18f32bfd8dc35aacd8231c81ac199

    SHA1

    7643e420f924fcf97ba76040cd7e3951af475835

    SHA256

    1fdb538e2ffd8d11ce72bb6596f1af9fabb2bab09c763edabe6da6ab60030c53

    SHA512

    999925b555b0fe9df913e250f833afc072f59b863d6dac62b4cd2800a316b2aee95da568fae5ba3ab4b355de89c2ccaadc53465e6e9145164e5111c1083ac6b1

  • memory/3016-16-0x0000000010000000-0x000000001001F000-memory.dmp

    Filesize

    124KB

  • memory/3016-18-0x0000000010000000-0x000000001001F000-memory.dmp

    Filesize

    124KB

  • memory/3052-0-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3052-6-0x0000000010000000-0x000000001001F000-memory.dmp

    Filesize

    124KB

  • memory/3052-14-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB