Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

0398d73160...18.exe

windows7-x64

10

0398d73160...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/06/2024, 06:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0398d731604fedfb679868be7526407c_JaffaCakes118.exe

  • Size

    127KB

  • MD5

    0398d731604fedfb679868be7526407c

  • SHA1

    5b74ddbdfffcff3c7b436d07ea6212c9a6a52b33

  • SHA256

    78d7793edd5db4eb68a80473e4c49ac29e600ba9ef0a0452940cf003270c6902

  • SHA512

    3346a716cc320803c78c0ebae651f9b72077bf18165f7e2640ae6e1bc3b3d3d4c866a786d3658560e2a19f7fe8efcac881e056d6287eab4959583cdd53f5eb3c

  • SSDEEP

    3072:O7CaO7x8fC8t52ojF+rKttHkoIIu6kfif20wNA:O7pON8ao5+wKodjkqfXC

Score
10/10
gh0stratrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0398d731604fedfb679868be7526407c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0398d731604fedfb679868be7526407c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1572
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:1016
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4336

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\5900.dll
      Filesize

      113KB

      MD5

      c8bc6dabe1c652c3c7d5b1c4c908c284

      SHA1

      595aba99850dad8299854fc4d65f21129cfd28b4

      SHA256

      baf83946f64bf70ddad6d6eb459ce13f67678a33dd58f4318e9c9972453d45c0

      SHA512

      6a3a0bd44a36c23f09623cd0c04da5b8032e67c1413acd88176b80a892419c4495548eb38cd791b08d451fab001ac72cdc40ada93431e497f6acedd828ebc64f

      Download Submit

    • C:\WinWall32.gif
      Filesize

      96B

      MD5

      0c4a3f0484670f3ad66957c398c1d5d7

      SHA1

      07d90c547104891053a53a530d4acc3a88ba77c0

      SHA256

      b364ad8b0ba4fc2cc063de177ae3c11d30227bcb38c8a52bd0aaf8a7bc9424cd

      SHA512

      3ec6d0cfd08a6cf81ee0c38902d5ec9a6cdad432fed432431a0985986f66429fcdeeb50312cfe6000c97bf22cc123cf4c9c15de6773b2e206ffdb67e496bd007

      Download Submit

    • \??\c:\program files (x86)\uqrs\aqrstuvwx.bmp
      Filesize

      3.6MB

      MD5

      626860e4889b2e7121e01b8369f0e8ec

      SHA1

      ecbdd58c6b0f4ac6db4df2cdf9d1b9bc8a357283

      SHA256

      16e3fb809fe549abeaa3579fcf896e51144311279cf17f711481a414f54dc930

      SHA512

      6f64a6ce5ec8f2e3138b2e19016b7fd0bf5dbf8ed84068a74515e4733d874a4cecfdbc9f7e8a2dcd469e5402ddb2d70769185f59a494aa3f3b82849fb614b53f

      Download Submit