Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 12:34

General

  • Target

    JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe

  • Size

    82KB

  • MD5

    3f9d6dcc5ecc15be183c3b3f999bd8d8

  • SHA1

    ad8f0bfa542fe20335967fc0ccc20b32524e7a1c

  • SHA256

    55088f908115710fad9e9d04efe9eec06ee0a16bca9453b75683f452cbd72114

  • SHA512

    4bc5305f63a879cc4003a949f1381cc1c55fbeda97b53453e2651267cc196664f4a5c3623327fa893bc96973d145b9ac8bae7c88f92d81aeb4eb53ae7720eb81

  • SSDEEP

    1536:Io48KAfHKom0RK2zuOpfS4BL99L9Rm8hOW7bdQdkA7ZrrAPh:DWeqovR5zuOpfJnL9f5bOdT7ZXi

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f9d6dcc5ecc15be183c3b3f999bd8d8.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1128
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2496500.dll

    Filesize

    101KB

    MD5

    92ae02dac610f816fb2de1f992e72916

    SHA1

    adbfdcd5f9a227df039da2998f24754cfe03c0c7

    SHA256

    535e1fa0e2a27ba57113908f881cd0baa50b5f38fe9de6ea40fd5bd9b2736f4d

    SHA512

    506dea9755a720c9ef25cbaa6441cb4bd39f05048ea5b8385df68f8aca7969b1f372ad36c988cae6e4a5b7eb508424464367d0dfe9f78afbb1419d84bf64f15f

  • C:\Program Files (x86)\Ubfe\Hmsacbojb.jpg

    Filesize

    265KB

    MD5

    b9a2bd63d7899c77ba1fd380515977be

    SHA1

    26955657efa20ea450a1cdd9697993b5eaeae0fc

    SHA256

    ccd23f4b02d5ef5b61fff7ac77878d35759150f1f4af6d5343aeb4413d2d4a3d

    SHA512

    26e193cb219a09af2a27d38d5283db93093c475da4bb52b9ad1611259f5303735d0ba44b20d2fc94c0b8a3c0dc2def61ef534408e962bc639714d5f051236d44

  • \??\c:\NT_Path.jpg

    Filesize

    99B

    MD5

    956204eaf359f7daf010daf84dc3fd73

    SHA1

    0ed130939cadc2df66d2dbc76418fff8300bab80

    SHA256

    ac3832e6187bd867e928c3d0f051ff934b8a66a855b72181c24678b9c8fbb7d8

    SHA512

    e8941aa58637ef4ae2eaca85c439a99ca001b9cf7d99c187c6530ba6be4cbb69a769400cc409804aca41a23cdee6f965820132c28c05b2afeed33efef7b8e9d3

  • \??\c:\program files (x86)\ubfe\hmsacbojb.jpg

    Filesize

    11.2MB

    MD5

    807a2389f751c5da53e90487860d48b5

    SHA1

    8e1dd95fc6d0bf032cc2b803971c5db9230479c9

    SHA256

    aa07322c57d613670af9fcd29f1bb656bc58a87337810616727ff33f707755eb

    SHA512

    012247a9dd1936ef91ab6aaf5c5d5ceb43bec33f4499a9bebfb29423fde9880bc5e8ff08700ded0ab44bfa7ba34e7514223b587c61e55b198095ae5e5398c10b

  • memory/1128-0-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/1128-1-0x0000000000240000-0x000000000027A000-memory.dmp

    Filesize

    232KB

  • memory/1128-5-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/1128-4-0x000000000042B000-0x000000000042C000-memory.dmp

    Filesize

    4KB

  • memory/1128-13-0x0000000010000000-0x000000001001C000-memory.dmp

    Filesize

    112KB