Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
25/07/2024, 14:23
General
-
Target
6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe
-
Size
223KB
-
MD5
6ff2a4ca1236a40cdbde74c086a949d5
-
SHA1
5f451121f14af83791655ad6117813b2facfd963
-
SHA256
05ff107131d3bb78a5d1b9ace8b07ee9552eab5c9476eed3dba6d730fc9b9d35
-
SHA512
d8f8335cafb6b6991bc7763549cb4dd21b305ccba93c14e439d64cf412dc4e0f84dce3cf4043fb2dfd3087de2747f2e119a3900daa8dc8558d5ab8fb9beb928f
-
SSDEEP
6144:ZZM4nDWgRAkPwUrWbi7cJVGpxx9bKwZuwk4GHeqo:1R3PwUdoJI3LK+RT
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6ff2a4ca1236a40cdbde74c086a949d5_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD51995acbdcffb7c31bb8526a4f2381739
SHA10f64668b463f9b3eef80392e5311a051ec6cbfe2
SHA2568eaebbcfa69fbbdd88cdbc9c670b1577efa67116e02387ed302fe482972a0128
SHA512b841887c6b1a3eaee5c187bf44eeb77e6763f98d97b7080506d9f704afed05f0ea2a7a5e77c4cf1378b9491822151d5de6a2d3695d5936d7d8a40c1347fd338b
-
Filesize
99B
MD54ae112db2b6eaac28464bfe32edd111d
SHA18803855ccd57fc24ee4fd8330d320efc438a7bee
SHA2567c63e132395c8e5908285b07b30dd4c7b453323b8f02cc1ba77049ae0f611e56
SHA5129ba17ef5efa9f52ed14960d4082e26647651953cce3a3228586c305bd5c8a14990b434274404cb534dd1eb89838523b31c7b279628dea3e021384674c5cde860
-
Filesize
9.1MB
MD5e943db8eb1da1215272cc986e6a1c2d5
SHA19970ffbf32eb21a374a2ee10360332674014bb13
SHA25636dade0f000350078e24833b312260d06d8ca4327d19890af0707ef996e1d721
SHA5120195d52a2b5528616abf29b5abb31b81fa5951332ebe5dcde426ad4d3da367273eb07d65932d2e21778fe0366c9b35a5710ec318106ef45d41ac156d07813227
-
Filesize
388KB
-
Filesize
144KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
960KB
-
Filesize
388KB
-
Filesize
4KB
-
Filesize
144KB
