Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 02:57

General

  • Target

    3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe

  • Size

    134KB

  • MD5

    3d6b6f6ba4a4366eddd767c0f81219f8

  • SHA1

    636af68f0da1186fcf6d7d464105b7c163739090

  • SHA256

    26aec1cbb07ba1ee713145f26cd24aad7bd7953649ed2060481317b2d53d428f

  • SHA512

    d477323ceb34a8783d048ea6a2bbce0e9be15862de7ebaa38e5769d6f882b4c4a2d880cbf954b11b583fe6b0a8a13eeb9a5bd6a542076bb88d2e8e8a3307964f

  • SSDEEP

    3072:TwZSQpKa3VGVnpUlCz764/9xpEdBqbZuwq5iGeeqovh:+JVGpxx9bKwZuwq4Geeqo

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 6 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2980
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2030500.dll

    Filesize

    101KB

    MD5

    99152cb59dd38e7e1bc2ff03ae56059b

    SHA1

    758451ebabe5023558ce195a0782d5e7062d4bd6

    SHA256

    f16d7041da1dfdeffefc8706b0b72b0ba574d4040eb873feeffd3311b5aa2a11

    SHA512

    f76be8615744300a1e8242c4cff980a026c51e302cd726aff6729d3bdef50049f6a9ccc15e756e512f8c857b20def76705bebb3809421998f9f21215e99762bf

  • C:\Program Files (x86)\Pfrd\Mydrfrrrn.bmp

    Filesize

    143KB

    MD5

    79e8a259ee327d96db959b84c58d3fa9

    SHA1

    631310382fe638c6d9cf03c8e7c7b67b46e0a609

    SHA256

    726f4be2ecfdfe53daa907d42ed2187351059fddd1c1f489a8bb2f337d8831c8

    SHA512

    2972591de4108d960bdeacc4425978bb94c665eef89fd7dcb05e7a66038a695e0bc028325f6bb98c53f954e3789f0c26f62549b494023747c29ad39e94eb40e0

  • \??\c:\NT_Path.jpg

    Filesize

    99B

    MD5

    07ef806e013c61b0d1c74ee1afd09071

    SHA1

    e1825e857bfc4b54ed746f68bd7e56d77188a9f0

    SHA256

    301e798c5f4930ebc3a10d9069fffdf2068522d725b0ac28fec12c98df47f88b

    SHA512

    7d21e0959bf58077165b4cffb893145182e9e152dc3b08d9db7e3da65bb3e38a3e854cafd36956d4e530bf0c46fec4e7b3de20d719ffa22c5311bd6e7ca110ea

  • \??\c:\program files (x86)\pfrd\mydrfrrrn.bmp

    Filesize

    10.7MB

    MD5

    7a2b154aa906aa1a5442b7a6aa7bced8

    SHA1

    d005854af9befc9d1b303c9e26c977c64e0f758d

    SHA256

    1e8e2104dd4e83c01a49d3f674d375f638926addab61779480f70cefcdad7ea5

    SHA512

    126bb784f17f1ad7b0eece8a03aa1b01a3cf71f6dd147baf56027bb78c7651752649e127df68271f908a47c4335dc6765ce41b4473059d941f8aa9702d346218

  • memory/2980-0-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2980-12-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2980-11-0x0000000010000000-0x000000001001C000-memory.dmp

    Filesize

    112KB