Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 19:10

General

  • Target

    0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe

  • Size

    96KB

  • MD5

    0a54aa06961b372d7b08ea3d441e0d64

  • SHA1

    3e79b93d1dbfcd5beb39da26774ba85e0f8bb5ec

  • SHA256

    55f4bec3680f7d11105834785cbe2638d5114a0ca564e74ab59efbddbb2b2eee

  • SHA512

    2e287d461650b61214ee112be487b8e8105e1658bc9e7970d1646aff005a56cccc7dff1fb3aaca99f0c17b88e0d8386a695c71a7c1ee44a44aac0227080eaed0

  • SSDEEP

    3072:C+S4jHS8q/3nTzePCwNUh4E92HmuLAUSmc:Cx428q/nTzePCwG7cmg6

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3620
    • \??\c:\users\admin\appdata\local\ncodkxuigu
      "C:\Users\Admin\AppData\Local\Temp\0a54aa06961b372d7b08ea3d441e0d64_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\0a54aa06961b372d7b08ea3d441e0d64_jaffacakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2060
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    PID:5068
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1084
      2⤵
      • Program crash
      PID:4044
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5068 -ip 5068
    1⤵
      PID:3204
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      PID:908
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 1064
        2⤵
        • Program crash
        PID:3444
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 908 -ip 908
      1⤵
        PID:3804
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        PID:4384
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1108
          2⤵
          • Program crash
          PID:2084
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4384 -ip 4384
        1⤵
          PID:3220
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3732 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:2236

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\ncodkxuigu

            Filesize

            22.2MB

            MD5

            5a574d246c585e48f4689c513d8fee56

            SHA1

            ce380ea5a0e2d91a01241c6ffa0c51db8691e6f1

            SHA256

            90785eb4dbfa2868aa3eaa96bedc0900bfb3049ee665c83b66c267bc28ee9c0a

            SHA512

            87d9fef05714aac3dbfa17e64677160a390d85ae0346cee420e55839572556590cdde0753ecd285d250ec78442a6ecf08a4f7807d1164950158dedd51998f8f0

          • C:\Windows\SysWOW64\svchost.exe.txt

            Filesize

            204B

            MD5

            110977b10ff698183a821c3a23a4ce6e

            SHA1

            dad6d6ffccb67205157164f478c07edd7981bf25

            SHA256

            a0483f5aab467488e5f948c275c08ef54335a5f3df30b1d9895d2901e2a3bb14

            SHA512

            92ac52ee5c0212b5814833919eb447946bbd935d5aa834e666ae57490ca8e6bea191d10238d2db1fba6deefe1f24d6cc18443ea290a30f72ca786876dde9541a

          • C:\Windows\SysWOW64\svchost.exe.txt

            Filesize

            306B

            MD5

            b184afa1e84bf5872a392474d782bd4a

            SHA1

            9828cf97410e31884ceeb018a15599654b50cee3

            SHA256

            913577107f54d0f57851d06cc2dc288eeba04153987ce942b28ac4cd1ac9662a

            SHA512

            030fcaa185107f14166e41c3d7650b8830055802123385f7424c7a339cf69c47cc6835aa1a8c18e99720c7e1e793b9fad4f1dfb32b1b6273f795079debf87c6e

          • \??\c:\programdata\application data\storm\update\%sessionname%\vymwi.cc3

            Filesize

            24.0MB

            MD5

            819eff2cb0c3d6aab89eae1532939bc6

            SHA1

            a066f6e598386ee2a87a03b21c7ef46faa284b0e

            SHA256

            a2b5f6395998c5723b5cedd9cc02f0863198f2c3dc753d6056aeea97a51b4527

            SHA512

            d320503c2c3e0c0b3cbeb5144579bc298c78c74b5fc3b1b6d9e273cc5b1ee40a6017380e280c20f205c62c10a9c11efc865661bfcdff02ca9836c20be703e44e

          • memory/908-22-0x00000000011C0000-0x00000000011C1000-memory.dmp

            Filesize

            4KB

          • memory/908-25-0x0000000020000000-0x0000000020027000-memory.dmp

            Filesize

            156KB

          • memory/2060-14-0x0000000000400000-0x000000000044E29C-memory.dmp

            Filesize

            312KB

          • memory/2060-7-0x0000000000400000-0x000000000044E29C-memory.dmp

            Filesize

            312KB

          • memory/3620-10-0x0000000000400000-0x000000000044E29C-memory.dmp

            Filesize

            312KB

          • memory/3620-0-0x0000000000400000-0x000000000044E29C-memory.dmp

            Filesize

            312KB

          • memory/3620-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

            Filesize

            4KB

          • memory/4384-27-0x00000000011F0000-0x00000000011F1000-memory.dmp

            Filesize

            4KB

          • memory/4384-30-0x0000000020000000-0x0000000020027000-memory.dmp

            Filesize

            156KB

          • memory/5068-18-0x00000000017E0000-0x00000000017E1000-memory.dmp

            Filesize

            4KB

          • memory/5068-20-0x0000000020000000-0x0000000020027000-memory.dmp

            Filesize

            156KB