Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 04:46

General

  • Target

    bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe

  • Size

    96KB

  • MD5

    bdeae0db47216ff68d46763fe6cab9f8

  • SHA1

    b8f1fe96444e83c1a48497c7469c04ed5e9c7787

  • SHA256

    023d3b4d9ccb843ceb8e367ae2dd2a84a7d9834bdcc2dac60a112f10eb4ad189

  • SHA512

    bf825dd542f62c1fe6ec688940812d46bbb4aa72c394e53017e90871044dc457675f9d9baf377d04a9b176c967a108e6225ffc0df8f6933710785f2519c5d0a4

  • SSDEEP

    1536:xhFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8pr5lqiOaN:x3S4jHS8q/3nTzePCwNUh4E95l8aN

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2628
    • \??\c:\users\admin\appdata\local\gpvwitbbue
      "C:\Users\Admin\AppData\Local\Temp\bdeae0db47216ff68d46763fe6cab9f8_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\bdeae0db47216ff68d46763fe6cab9f8_jaffacakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4436
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:4720
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 844
      2⤵
      • Program crash
      PID:3396
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4720 -ip 4720
    1⤵
      PID:940
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1424
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1052
        2⤵
        • Program crash
        PID:5088
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1424 -ip 1424
      1⤵
        PID:3648
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2292
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1100
          2⤵
          • Program crash
          PID:1380
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2292 -ip 2292
        1⤵
          PID:4916

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\svchost.exe.txt

          Filesize

          202B

          MD5

          b0b33a9326e0bce67d5a2ec6b86723a8

          SHA1

          684eced70f81b00f05e0b80179befef9350cf386

          SHA256

          b5d9a96afc483b0485674009d4ded3758811484127b99a60f9bf30c4b523af91

          SHA512

          92ca6be74b7dd4323fa14b3ca6d85c34fc14d719d9cf42343d8e2ba4e37810b0fc48892a7e69459d174c835b478a3ecc4e59bc5adf8103d56c2f3894cf81714e

        • C:\Windows\SysWOW64\svchost.exe.txt

          Filesize

          303B

          MD5

          e5bf6bc14c98f7e912026e8386722b62

          SHA1

          e46d2d54dab20ebb9c4084bee69f74ee769d13b1

          SHA256

          10c3d02dc0179307fe3fc09029d8ce695858e7b2934a467320fed4e0f47729e2

          SHA512

          1f0ddf98ecd9aae39b2be6f96496e3238d84c3eb21747b7756d17b79c3d4226bd8a3698bf9bbedc76643767b73d2ae5c70b0e5d7577a1bba9964b591b1bcab7e

        • \??\c:\programdata\application data\storm\update\%sessionname%\oguvy.cc3

          Filesize

          20.1MB

          MD5

          8eb32f0aab7a7b9c23cf1197cc9e06d1

          SHA1

          3d1f1e6f906b5d7463f68100d966451b3f867391

          SHA256

          5424679fc32b28f1c2deffe8d78f7dc56e98584ed5f80bbf457446d593983fe2

          SHA512

          74ac8f8c9c3e7276d61193e2e42514d9aa192a30c472b548ecea75628110d41650710627a889797eab812c39b97bf69b276c4d6b75ad5a21b57f10c5db020765

        • \??\c:\users\admin\appdata\local\gpvwitbbue

          Filesize

          23.0MB

          MD5

          42f9f75e87de93fb359459f759cbcc1f

          SHA1

          d73a2877073b071ebf9d9bd378b320e47bf3e4a4

          SHA256

          58307f81ce30eb5480d4b28d642e845ad4ed23256996e1940464f42ad53ec6b6

          SHA512

          fd0d428e694b596c9a6da935e94a10aea4235344b4c9be367765b59e999f33b08cb9a84e7d383913560467c9987aa60264649f80f3890e44ec7f7a46bfccd89e

        • memory/1424-24-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

        • memory/1424-21-0x00000000013E0000-0x00000000013E1000-memory.dmp

          Filesize

          4KB

        • memory/2292-29-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

        • memory/2292-26-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

          Filesize

          4KB

        • memory/2628-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

        • memory/2628-0-0x0000000000400000-0x000000000044E2EC-memory.dmp

          Filesize

          312KB

        • memory/2628-9-0x0000000000400000-0x000000000044E2EC-memory.dmp

          Filesize

          312KB

        • memory/4436-11-0x0000000000400000-0x000000000044E2EC-memory.dmp

          Filesize

          312KB

        • memory/4436-16-0x0000000000400000-0x000000000044E2EC-memory.dmp

          Filesize

          312KB

        • memory/4720-19-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

        • memory/4720-17-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

          Filesize

          4KB