Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 06:09

General

  • Target

    38c2f198921ab41237a991512091135c_JaffaCakes118.exe

  • Size

    196KB

  • MD5

    38c2f198921ab41237a991512091135c

  • SHA1

    b1f33372f7211c68d9b7662b4c02ab29889049cd

  • SHA256

    c354fb2d435b4b571e31ccb955e9d92d0de97017ae94144f6de4338c81579ffe

  • SHA512

    dbee7fd35daab7354db346b4c6c53bdc1080444e2cfd5a4e79dc0a266d4f98c797bb1bea6158fc7a7024d94595dd4e9f5c791ef97df2d336134fe5a82772197e

  • SSDEEP

    6144:6sIt6nW8QjBTyPRFyhYPbHcTBlhHrFndnk00:39W8NJF8YPbHcT3H

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38c2f198921ab41237a991512091135c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\38c2f198921ab41237a991512091135c_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1248
    • \??\c:\users\admin\appdata\local\kvlfktximr
      "C:\Users\Admin\AppData\Local\Temp\38c2f198921ab41237a991512091135c_JaffaCakes118.exe" a -sc:\users\admin\appdata\local\temp\38c2f198921ab41237a991512091135c_jaffacakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\kvlfktximr

    Filesize

    22.1MB

    MD5

    6a6f331d7b46648867056e9bdfcc59bf

    SHA1

    d84003acb1b2854fe5f36d4d733d6ecc2560a584

    SHA256

    825e3210dabd24cec41d4a1657ce1e156b7de70ca98991a5e1ded14935691625

    SHA512

    2047fc856b35620aaec110c8fe9343e6c2872026a69a47163a9377a6da82bd655c49dfb5d0f625a621a62013a5636847bc7386ebfe785b114fd95f1b8aec8101