Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    27/06/2024, 14:52

General

  • Target

    1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe

  • Size

    196KB

  • MD5

    1667bc2ccace57daf8068ab201dc0996

  • SHA1

    7bf309aa53e691f6c168ccf2d2d05628855f33d2

  • SHA256

    3fd9d905d9b08c22bb5517bd4e6a1d95c5e0c2deba4fda089b7ff5dac1343810

  • SHA512

    e346239c0a43b0ee96aab8f023586a3139e985e99caad6f95c961625ad305c16564995c96d2b4691f63021e5b9aee49eef6ef2f52b8a027b8440e01118c68396

  • SSDEEP

    3072:iIXD6tSGloVFwz8BD0cjRTyVwdUE3AZnC69NJ09sTpwWwo:izlQwz8BDpWwOUA1C6rTuWf

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1667bc2ccace57daf8068ab201dc0996_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\OATH.EXE
      "C:\OATH.EXE"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /t /im KSafeTray.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2488
      • C:\Windows\SysWOW64\RUNDLL32.exe
        RUNDLL32 "c:\Program Files\WINDOWSS.INI" main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:2660
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c afc9fe2f418b00a0.bat
        3⤵
          PID:1556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\OATH.EXE

      Filesize

      172KB

      MD5

      a006cb4129f531243592629f040c9d94

      SHA1

      c121bff36f16b42ac308556a08b6addab945f250

      SHA256

      a5da7a8f657772cee923b5c3d320096418172df7be8830095bab3d226e2d9730

      SHA512

      89d6135a15fe8b98915ad648a9bf7e6e961b07d7c3280560aec1d334be2af2a94d3e268ec131ff29ffe118f2f637d25883e57e4ae76be5cbf6029cd86f9b4d6f

    • C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

      Filesize

      2KB

      MD5

      1c986aff5f096275f33a8458137e1619

      SHA1

      28f976a3467e5dbccdcf67843ccc1e6a00a9d125

      SHA256

      50c9ab50bbc41c759d697e4638eb518517f127d6d674c801b03654a1b224441c

      SHA512

      27f26ef9ce4185250d892ac80a0af629c98bbb8a13103ca9f77d09d4cfa7f1f27b2a90643ac2daf4decfcddd1c70deab4fec4d3b995d3360fc8bc0428bf4db50

    • \??\c:\Program Files\WINDOWSS.INI

      Filesize

      10.3MB

      MD5

      798ba40c2af669b0eee2a598dadf0759

      SHA1

      4c384c78513fc28f4fb612f7f9f014255e77d3c9

      SHA256

      f63539d1a59625f0c460a17496e619bdcd88e6587523cf74c7104da8431a798d

      SHA512

      5d02d5823e10f64f02b517accab3b80fb02cb43fbadefcba0e1a81c57e61f754a92896c417131bf3b34c3069d5752a6242c1ba96afda31e5ffdbed5dbf4f8ea0