Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 02:57

General

  • Target

    3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe

  • Size

    134KB

  • MD5

    3d6b6f6ba4a4366eddd767c0f81219f8

  • SHA1

    636af68f0da1186fcf6d7d464105b7c163739090

  • SHA256

    26aec1cbb07ba1ee713145f26cd24aad7bd7953649ed2060481317b2d53d428f

  • SHA512

    d477323ceb34a8783d048ea6a2bbce0e9be15862de7ebaa38e5769d6f882b4c4a2d880cbf954b11b583fe6b0a8a13eeb9a5bd6a542076bb88d2e8e8a3307964f

  • SSDEEP

    3072:TwZSQpKa3VGVnpUlCz764/9xpEdBqbZuwq5iGeeqovh:+JVGpxx9bKwZuwq4Geeqo

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:4984
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2954200.dll

    Filesize

    101KB

    MD5

    99152cb59dd38e7e1bc2ff03ae56059b

    SHA1

    758451ebabe5023558ce195a0782d5e7062d4bd6

    SHA256

    f16d7041da1dfdeffefc8706b0b72b0ba574d4040eb873feeffd3311b5aa2a11

    SHA512

    f76be8615744300a1e8242c4cff980a026c51e302cd726aff6729d3bdef50049f6a9ccc15e756e512f8c857b20def76705bebb3809421998f9f21215e99762bf

  • \??\c:\NT_Path.jpg

    Filesize

    99B

    MD5

    a08b090163d53b615752ef73269ddbf6

    SHA1

    eb7c6c269e37a44496ce0d184c1ce463ee6c37c5

    SHA256

    5e70c9a45fbdf8718d86e0826cfe4079b1146c91178f0b62bda47e154dee599c

    SHA512

    5f77ddea656cd1909d2ba6d7568d30706da032870557cdd8c83e2c525c6acfc43943dfc512bde6292373d8e6fb98889e6f8ee267734cb25c6add66a0e37cb747

  • \??\c:\program files (x86)\pfrd\mydrfrrrn.bmp

    Filesize

    3.3MB

    MD5

    3983ff80abf7760c3063bffe9cc792ff

    SHA1

    23dbd2dc692e8fbb63610978980d0dd752e72d3c

    SHA256

    1b559eb728aed85744331cce48c276d962d86e96805e7eebc2e104f431b8c5a8

    SHA512

    a57d2ca8461c3b37ce31fd8fb8c11ca17ce18b3bae2428b1f2c0b42447201db6532fb1a87380717ac86ed10a7c09e6fad59b2f7366604a69b4008e94348dc3cc

  • memory/4984-0-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/4984-13-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB