Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2025, 06:18

General

  • Target

    JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe

  • Size

    951KB

  • MD5

    47bc7aa23e046580e54a596f2301f73a

  • SHA1

    19f375d03b5a2d1fc8c05f18ebc2bb17304f54f0

  • SHA256

    a35881e98b0df8d24eea1b78852ec6921ebcf0cf16bfeafd5da3453bdc4fc308

  • SHA512

    46733f43604a26e0eed422b2fb6187e694edeb0311ccf4fc2ac939d80544a172bd3c69112553c234a0d02ce63ac906244e09db7777af0ad7d2031fd44c272509

  • SSDEEP

    24576:hdufRX5CR3lXuOV2VfBEC1pGBWrvXABdswIo5Ao:hdUI3NNC1pHvwt

Malware Config

Signatures

  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47bc7aa23e046580e54a596f2301f73a.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Boot or Logon Autostart Execution: Active Setup
    • Identifies Wine through registry keys
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\SysWOW64\inldtepix.exe
      C:\Windows\system32\inldtepix.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\SysWOW64\userinit.exe
        userinit.exe
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240622078_lang.dll

    Filesize

    122KB

    MD5

    438a0ef8a82ada2a12b88a5ced2210a9

    SHA1

    835ad257a40bd09008a4e4f3a7fb29ed72fa3ad9

    SHA256

    dd72a35f8bde47093b96db75ada55f1ca91400ca0dabebdedcf82501c742ed24

    SHA512

    09501ff5cb94518f2dc08746e302810326b8a734a7f6acdd315f80acf44dafe860c50a9d891d2fe4df4fa845848e633a3b9fdddecb065bfaeb98bcf5dc739f74

  • C:\Windows\SysWOW64\inldtepix.exe

    Filesize

    951KB

    MD5

    05e3454f3a5527b8cbd500c1c46107a8

    SHA1

    83e2f6761de0ba62d27f1e766e5ada9b17bda8de

    SHA256

    c7c54260a4f5f938053dcea746cdacea0a48504116369d7b0cedffa5a7f37a41

    SHA512

    117031b33bc6c21728dcb74dcadedbf60d77c79087a94cb38c6ef5a23a9534650659d6930920006d4abb3acee23ccc2ef03ce71120d8de209d002dc5cf458d32

  • memory/2552-10-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/2552-14-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/2552-5-0x00000000027A0000-0x00000000027A1000-memory.dmp

    Filesize

    4KB

  • memory/2552-4-0x00000000027C0000-0x00000000027C1000-memory.dmp

    Filesize

    4KB

  • memory/2552-3-0x0000000002780000-0x0000000002781000-memory.dmp

    Filesize

    4KB

  • memory/2552-2-0x00000000027B0000-0x00000000027B1000-memory.dmp

    Filesize

    4KB

  • memory/2552-8-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/2552-9-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/2552-0-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/2552-6-0x0000000002790000-0x0000000002791000-memory.dmp

    Filesize

    4KB

  • memory/2552-7-0x0000000000401000-0x0000000000405000-memory.dmp

    Filesize

    16KB

  • memory/2552-1-0x0000000077D74000-0x0000000077D76000-memory.dmp

    Filesize

    8KB

  • memory/3616-21-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/3616-20-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/3616-23-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/3616-24-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/3616-22-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/3616-19-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB

  • memory/3616-27-0x0000000000400000-0x000000000060C000-memory.dmp

    Filesize

    2.0MB