Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

JaffaCakes...4c.exe

windows7-x64

10

JaffaCakes...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2025, 04:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe

  • Size

    95KB

  • MD5

    3c216dfd1ea55f02b865059c1d2aac4c

  • SHA1

    930c175570611d2628c4537ddb188d0cd6fcd6e2

  • SHA256

    110e121a5c20d21a8735dc42a8ac85a81a85e2045d79fb91d77a7328e2662ad9

  • SHA512

    aae362f40039d1ce011173f16d013d112635e59ca3168de2fc35ed2452834ff6500df7c6ea6ba631b20f89e8d2961354f64bec28f57ca00566ac9697f4ddd52c

  • SSDEEP

    1536:C+FusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prjXVrGONLfdD:CES4jHS8q/3nTzePCwNUh4E9jXYifdD

Score
10/10
gh0stratbootkitdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2480
    • \??\c:\users\admin\appdata\local\cfrcokynov
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_3c216dfd1ea55f02b865059c1d2aac4c.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1680
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2952

Network

  • flag-us
    DNS
    bibo9.8800.org
    netsvcs
    Remote address:
    8.8.8.8:53
    Request
    bibo9.8800.org
    IN A
    Response
    bibo9.8800.org
    IN A
    93.46.8.90
  • flag-us
    DNS
    conf.f.360.cn
    netsvcs
    Remote address:
    8.8.8.8:53
    Request
    conf.f.360.cn
    IN A
    Response
    conf.f.360.cn
    IN CNAME
    conf.f.qh-lb.com
    conf.f.qh-lb.com
    IN A
    1.192.137.9
    conf.f.qh-lb.com
    IN A
    1.192.137.3
  • flag-us
    DNS
    bibo9.8800.org
    netsvcs
    Remote address:
    8.8.8.8:53
    Request
    bibo9.8800.org
    IN A
  • 93.46.8.90:889
    bibo9.8800.org
    netsvcs
    152 B
     3
  • 46.82.174.69:889
    netsvcs
  • 8.8.8.8:53
    bibo9.8800.org
    dns
    netsvcs
    60 B
     76 B
     1
    1

    DNS Request

    bibo9.8800.org

    DNS Response

    93.46.8.90

  • 8.8.8.8:53
    conf.f.360.cn
    dns
    netsvcs
    59 B
     121 B
     1
    1

    DNS Request

    conf.f.360.cn

    DNS Response

    1.192.137.9
    1.192.137.3

  • 8.8.8.8:53
    bibo9.8800.org
    dns
    netsvcs
    60 B
     1

    DNS Request

    bibo9.8800.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\programdata\application data\storm\update\%sessionname%\qjqvu.cc3
    Filesize

    22.0MB

    MD5

    445117a4079db67231fe35d81818b2ad

    SHA1

    2f9653a3ca7bd70721c781affc56dd1fe4950d17

    SHA256

    17023a6fb34f1d3727aa49933e6ad1b0f71b4806523927580ca5c6c01679b202

    SHA512

    9f8eb13869076eca5fec97eee28bef71702b027e59631bdcb67e5ff7fc788f5a68d90a3ffc8da212f18b06f31fab8b7e49e6f89a822f7332d9a03bd935792c2e

    Download Submit

  • \Users\Admin\AppData\Local\cfrcokynov
    Filesize

    20.8MB

    MD5

    10b2b3d304713b732fcfb0c5398fe42f

    SHA1

    df5fd6eb39fae633c4a89994bc3c6b35e0a72e95

    SHA256

    7c5e7b9377c611c8948d42b614bb8ea0f74e474f17554316c4de653dc3760281

    SHA512

    06c49bf515125d052b319dbfb2c9ddaef00129c60e5eedc98fe28f6bcb94d5f3a77531b25e52b1ae00b5743f93b7a99f5770c2bd13025cdbdb4a1301cad369ea

    Download Submit

  • memory/1680-14-0x0000000000400000-0x000000000044E3D4-memory.dmp

    Filesize

    312KB

    Download

  • memory/1680-21-0x0000000000400000-0x000000000044E3D4-memory.dmp

    Filesize

    312KB

    Download

  • memory/2480-1-0x0000000000400000-0x000000000044E3D4-memory.dmp

    Filesize

    312KB

    Download

  • memory/2480-2-0x0000000000030000-0x0000000000031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2480-6-0x0000000000230000-0x000000000027F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/2480-12-0x0000000000400000-0x000000000044E3D4-memory.dmp

    Filesize

    312KB

    Download

  • memory/2952-22-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2952-24-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2952-26-0x0000000020000000-0x0000000020027000-memory.dmp

    Filesize

    156KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.