Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    82f2716ba60da548c40b7b900d3c8287_JaffaCakes118

  • Size

    198KB

  • Sample

    240802-eked7szard

  • MD5

    82f2716ba60da548c40b7b900d3c8287

  • SHA1

    d8eb82d5ac1fcda00f401de4c5e5ffac125e3872

  • SHA256

    8954f89ab35c094149d31786dd2b0861651ddfc0cdc472eb979e1a41d913e050

  • SHA512

    7eaf4817bbee02b3d8d10ac2da179ab5c5cc9d7560bade08842f8b5660268a16d3cff41a9b7055c736723cb31740a842377808538e414d3ecc8562d3f3c5b21d

  • SSDEEP

    6144:tNny7a4tEGnTH5thy7r+P3QHNmmi25ttBOxjMoF:+btV1thyaQHNxTbAgo

Malware Config

Targets

    • Target

      82f2716ba60da548c40b7b900d3c8287_JaffaCakes118

    • Size

      198KB

    • MD5

      82f2716ba60da548c40b7b900d3c8287

    • SHA1

      d8eb82d5ac1fcda00f401de4c5e5ffac125e3872

    • SHA256

      8954f89ab35c094149d31786dd2b0861651ddfc0cdc472eb979e1a41d913e050

    • SHA512

      7eaf4817bbee02b3d8d10ac2da179ab5c5cc9d7560bade08842f8b5660268a16d3cff41a9b7055c736723cb31740a842377808538e414d3ecc8562d3f3c5b21d

    • SSDEEP

      6144:tNny7a4tEGnTH5thy7r+P3QHNmmi25ttBOxjMoF:+btV1thyaQHNxTbAgo

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks