Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2025, 17:31

General

  • Target

    JaffaCakes118_42130d5a7889059be4f6ffef613d7b86.exe

  • Size

    96KB

  • MD5

    42130d5a7889059be4f6ffef613d7b86

  • SHA1

    0dd11354487f05665517edcb7054a592f4ee48b6

  • SHA256

    10fc1455dc00058a2ccf919a44ac1fb2b6bd3045a8f5498ac2d78637eff434c7

  • SHA512

    038dcd97b92a1fabf9fbe3e75ca9cf10771e5deaef1f97913bd67a29c083ac9efeef5a9d087e8eb7a98ff0331cc85dda4acf3d33afbbeac7eb6044f2c509b1bc

  • SSDEEP

    1536:mKFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prOVhEr/DcYWw:mQS4jHS8q/3nTzePCwNUh4E9OV2bNWw

Score
10/10

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42130d5a7889059be4f6ffef613d7b86.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42130d5a7889059be4f6ffef613d7b86.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2260
    • \??\c:\users\admin\appdata\local\giwytxmuiw
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42130d5a7889059be4f6ffef613d7b86.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_42130d5a7889059be4f6ffef613d7b86.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3728
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:4024
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1092
      2⤵
      • Program crash
      PID:2796
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4024 -ip 4024
    1⤵
      PID:5020
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4624
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1096
        2⤵
        • Program crash
        PID:4436
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4624 -ip 4624
      1⤵
        PID:4772
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4632
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 888
          2⤵
          • Program crash
          PID:4580
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4632 -ip 4632
        1⤵
          PID:2280

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\giwytxmuiw

          Filesize

          23.1MB

          MD5

          0ba21f4f2e37f1293536551873c6b1cd

          SHA1

          8f6a2b60e81974c147607e3f3b4ae0c46e2ac2bd

          SHA256

          595979108c95bc1f2fb74925448c82f0eba57622d5ddee40ae7da9e52749e614

          SHA512

          718ff073412287188b6607b1fc3e90d68ec78451100cc48029e204cb86c7d34ed1293a63155210034ea10d05d6cbdfb5ecac8d3c05a736cb4158612e29ae6a9b

        • C:\Windows\SysWOW64\svchost.exe.txt

          Filesize

          202B

          MD5

          a5dce2fa756ff143709605803a6eb99c

          SHA1

          0c4ea4d576fa923facfb9c2e95e76b3ba8be5e3c

          SHA256

          34c1c50f97cae9882e58ea945f41e0b1383428a6ccb05e30a52e9082104cb0bc

          SHA512

          1d5110451d1d3a8e9b73a625c43d8e7d4965606585a7a13ef21e34642e09b7f3487f2b0b1ffa1e5c7240767450ffeecde9ee1b5b7f50670036ece01539519ed4

        • C:\Windows\SysWOW64\svchost.exe.txt

          Filesize

          303B

          MD5

          d1e7847dd9a0ac6ff25f04d23395d202

          SHA1

          0f74f60f67842bb1ee04f8bf9f077e5d88fa649f

          SHA256

          dfc88345d32ff824f866c3d961b5bc4ea645451d2d127d15639fa2aafc67798c

          SHA512

          e1b9584cbb3b17a1a8bca0bda465afa9e5bc434b03be269bedca5aadfd72a264d306c05686d7cddb2fc5f0911242b5eeb8e46dcb78493203e93b463d44fec572

        • \??\c:\programdata\application data\storm\update\%sessionname%\yshof.cc3

          Filesize

          22.0MB

          MD5

          bd7cdb7964c980da7d6b5d009260f7bd

          SHA1

          8acf4922110a920e0d697e70db10700af7cddfdb

          SHA256

          a6bbcfeb64be4a91d253dc869f3ecdefb9933d3f5bc5be901479c67058f9c3fd

          SHA512

          b4c65cff42cf634013d4cb4a5f33587811070fea5d0b4fe9e6197691ce2d2c18f640c3679d3acf163f6d0454964e85030bea1c3aa6bc9510a398b1610f120ac3

        • memory/2260-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

        • memory/2260-10-0x0000000000400000-0x000000000044E2A4-memory.dmp

          Filesize

          312KB

        • memory/2260-0-0x0000000000400000-0x000000000044E2A4-memory.dmp

          Filesize

          312KB

        • memory/3728-12-0x0000000000400000-0x000000000044E2A4-memory.dmp

          Filesize

          312KB

        • memory/3728-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

        • memory/3728-17-0x0000000000400000-0x000000000044E2A4-memory.dmp

          Filesize

          312KB

        • memory/4024-18-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

          Filesize

          4KB

        • memory/4024-20-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

        • memory/4624-22-0x0000000001590000-0x0000000001591000-memory.dmp

          Filesize

          4KB

        • memory/4624-25-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

        • memory/4632-27-0x00000000019D0000-0x00000000019D1000-memory.dmp

          Filesize

          4KB

        • memory/4632-30-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB