Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13/10/2024, 02:57
General
-
Target
3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe
-
Size
134KB
-
MD5
3d6b6f6ba4a4366eddd767c0f81219f8
-
SHA1
636af68f0da1186fcf6d7d464105b7c163739090
-
SHA256
26aec1cbb07ba1ee713145f26cd24aad7bd7953649ed2060481317b2d53d428f
-
SHA512
d477323ceb34a8783d048ea6a2bbce0e9be15862de7ebaa38e5769d6f882b4c4a2d880cbf954b11b583fe6b0a8a13eeb9a5bd6a542076bb88d2e8e8a3307964f
-
SSDEEP
3072:TwZSQpKa3VGVnpUlCz764/9xpEdBqbZuwq5iGeeqovh:+JVGpxx9bKwZuwq4Geeqo
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d6b6f6ba4a4366eddd767c0f81219f8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD599152cb59dd38e7e1bc2ff03ae56059b
SHA1758451ebabe5023558ce195a0782d5e7062d4bd6
SHA256f16d7041da1dfdeffefc8706b0b72b0ba574d4040eb873feeffd3311b5aa2a11
SHA512f76be8615744300a1e8242c4cff980a026c51e302cd726aff6729d3bdef50049f6a9ccc15e756e512f8c857b20def76705bebb3809421998f9f21215e99762bf
-
Filesize
99B
MD5a08b090163d53b615752ef73269ddbf6
SHA1eb7c6c269e37a44496ce0d184c1ce463ee6c37c5
SHA2565e70c9a45fbdf8718d86e0826cfe4079b1146c91178f0b62bda47e154dee599c
SHA5125f77ddea656cd1909d2ba6d7568d30706da032870557cdd8c83e2c525c6acfc43943dfc512bde6292373d8e6fb98889e6f8ee267734cb25c6add66a0e37cb747
-
Filesize
3.3MB
MD53983ff80abf7760c3063bffe9cc792ff
SHA123dbd2dc692e8fbb63610978980d0dd752e72d3c
SHA2561b559eb728aed85744331cce48c276d962d86e96805e7eebc2e104f431b8c5a8
SHA512a57d2ca8461c3b37ce31fd8fb8c11ca17ce18b3bae2428b1f2c0b42447201db6532fb1a87380717ac86ed10a7c09e6fad59b2f7366604a69b4008e94348dc3cc
-
Filesize
152KB
-
Filesize
152KB
