Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
25/06/2024, 16:28
General
-
Target
0ec024243a3918640ea5391448ba6931_JaffaCakes118.exe
-
Size
272KB
-
MD5
0ec024243a3918640ea5391448ba6931
-
SHA1
9c4464ab0a3f5548378dd62eb149a0852f2843be
-
SHA256
3065a73dc9c51a8771e00c32687d2e8d82b96b7a64ba4c542bd1b5aea03bb536
-
SHA512
81898d2c4b890460dbe3dd90e95bf67dbdb132c3d35aa2b16000099643632c7ed34ee0a547690c7d854b381052126fe3b5e2d0a7899ac5ce570ac06033e18d70
-
SSDEEP
6144:J00geEaFb79FR1eTboMMnIroSe5Kvf8QLBBzAM+GuN8QpKPig:J00geEaF1L5tSeMlLbzL+jkf
Malware Config
Signatures
-
Gh0st RAT payload 6 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 11 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 5 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ec024243a3918640ea5391448ba6931_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0ec024243a3918640ea5391448ba6931_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\qiuqi0.exe"C:\Program Files\Common Files\qiuqi0.exe" "C:\Program Files\Common Files\maoma0.dll" ServiceMain2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Documents and Settings\qiuqi0.exe"C:\Documents and Settings\qiuqi0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c del C:\DOCUME~1\qiuqi0.exe3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c del C:\Users\Admin\AppData\Local\Temp\0EC024~1.EXE2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24.1MB
MD5753459e40f44371c104eff19a6f15fc9
SHA1a3398c8c937371c7fa8b2bb60d0c9afa1468c5bd
SHA256ddd716d15a05ba358d74fe002fff6fae5eddb8ce40494993d264d78cf78991dd
SHA5120763040b76a3b484df738582e1dbb359a29d8efe3cd6b23f8d486f97083c35fe4e686125bb2099d08f5a9b508a1bc51be6b607fc695936a7525f61c697e5e33b
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
24.0MB
MD595d2a40087b803f804ff4a63b039c606
SHA1e6924bff1eb1e980a5c30d700ff936b33275526e
SHA256fa99b882eabbd653d85279d48c806d5dc7ebf27988eaa3efd291530c2334d884
SHA5121ba688eac41eecfa2211d408003d8551eb1ba524d43b1cd49552eff4374bb3a4c6fbffe2f7ff805efde58a30b6cb2ca9d2d4bfe6ac84e79e709a1128d39908a4
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
248KB
-
Filesize
484KB
-
Filesize
24KB
-
Filesize
484KB
-
Filesize
248KB
-
Filesize
484KB