Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/06/2024, 19:18

General

  • Target

    0a5d535016d1745005730a5c4906f044_JaffaCakes118.exe

  • Size

    100KB

  • MD5

    0a5d535016d1745005730a5c4906f044

  • SHA1

    ab36e882e07f9b1821f475cc6e3b2acc750f9059

  • SHA256

    d51bdf230084acbbd2e264f5af20b435b6cbf48b5f2a65a0c187af51586c663d

  • SHA512

    c1c3d9bcd497a04e8e4181b9ba39bed27fc558582f1441d2c3d6eaad3fa2d2582786f1e1f2bd06adb74cca81ef6d3bc0e9f05bb6344df03c7fc5205f43d31a76

  • SSDEEP

    1536:0ZKLXRt8zpIm5Ojz+6C2Rcu+1fafcGr1V6XDpQ4/ZCx5l6:0ZKLXRwIZpnRp+tafciT6lQ4/ZCx5l6

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a5d535016d1745005730a5c4906f044_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0a5d535016d1745005730a5c4906f044_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Drops file in System32 directory
    PID:2232
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe c:\windows\system32\mutihack.dll, Startup M020utiHack
      2⤵
      • Deletes itself
      • Loads dropped DLL
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\mutihack.dll

    Filesize

    80KB

    MD5

    5210c3dd5b0204dc4cb34453f6a46fc8

    SHA1

    31f7f1d5ad2a18489ed0c75cbca43cdce0a0985a

    SHA256

    2a213026f1739276f948a9fdf6ada666a6d2d41a075cfbb109fe7b022f149f67

    SHA512

    f8e57137e3de6555812c63b296b210455427ff829db21d7a42ee49a2acce3727b874ad173c2f290af9800d337ba79bc3a868bec24f1245516b29186ca9187685