Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13/10/2024, 02:57
General
-
Target
3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe
-
Size
134KB
-
MD5
3d6b6f6ba4a4366eddd767c0f81219f8
-
SHA1
636af68f0da1186fcf6d7d464105b7c163739090
-
SHA256
26aec1cbb07ba1ee713145f26cd24aad7bd7953649ed2060481317b2d53d428f
-
SHA512
d477323ceb34a8783d048ea6a2bbce0e9be15862de7ebaa38e5769d6f882b4c4a2d880cbf954b11b583fe6b0a8a13eeb9a5bd6a542076bb88d2e8e8a3307964f
-
SSDEEP
3072:TwZSQpKa3VGVnpUlCz764/9xpEdBqbZuwq5iGeeqovh:+JVGpxx9bKwZuwq4Geeqo
Malware Config
Signatures
-
Gh0st RAT payload 6 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD599152cb59dd38e7e1bc2ff03ae56059b
SHA1758451ebabe5023558ce195a0782d5e7062d4bd6
SHA256f16d7041da1dfdeffefc8706b0b72b0ba574d4040eb873feeffd3311b5aa2a11
SHA512f76be8615744300a1e8242c4cff980a026c51e302cd726aff6729d3bdef50049f6a9ccc15e756e512f8c857b20def76705bebb3809421998f9f21215e99762bf
-
Filesize
143KB
MD579e8a259ee327d96db959b84c58d3fa9
SHA1631310382fe638c6d9cf03c8e7c7b67b46e0a609
SHA256726f4be2ecfdfe53daa907d42ed2187351059fddd1c1f489a8bb2f337d8831c8
SHA5122972591de4108d960bdeacc4425978bb94c665eef89fd7dcb05e7a66038a695e0bc028325f6bb98c53f954e3789f0c26f62549b494023747c29ad39e94eb40e0
-
Filesize
99B
MD507ef806e013c61b0d1c74ee1afd09071
SHA1e1825e857bfc4b54ed746f68bd7e56d77188a9f0
SHA256301e798c5f4930ebc3a10d9069fffdf2068522d725b0ac28fec12c98df47f88b
SHA5127d21e0959bf58077165b4cffb893145182e9e152dc3b08d9db7e3da65bb3e38a3e854cafd36956d4e530bf0c46fec4e7b3de20d719ffa22c5311bd6e7ca110ea
-
Filesize
10.7MB
MD57a2b154aa906aa1a5442b7a6aa7bced8
SHA1d005854af9befc9d1b303c9e26c977c64e0f758d
SHA2561e8e2104dd4e83c01a49d3f674d375f638926addab61779480f70cefcdad7ea5
SHA512126bb784f17f1ad7b0eece8a03aa1b01a3cf71f6dd147baf56027bb78c7651752649e127df68271f908a47c4335dc6765ce41b4473059d941f8aa9702d346218
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
112KB
