Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
27/01/2025, 17:44
General
-
Target
JaffaCakes118_422c2de721f1241da6aaf7c5584162fd.exe
-
Size
146KB
-
MD5
422c2de721f1241da6aaf7c5584162fd
-
SHA1
144f717c93afd0e25924a6677821c630e2028ac1
-
SHA256
6102dae7b7d0fef08b08fb9faadb1bc7cb75ea5bf78772d228c5e9c7b45b80ce
-
SHA512
468bf02960be2f3c77540cb0ef6ab06749a84bd5885ae0bebc44d142e1eaa0187550f7c62b9966e071ba53b453f0dda6514e26ec407f87330e1b378b7bfd376f
-
SSDEEP
3072:NgEehZ6lngDMYUxHkq15yoY0f4S07tVaTqXuz1KJoZAo5LH5u:NgEehkHkmMoY0xoV00uz1PZAS
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_422c2de721f1241da6aaf7c5584162fd.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_422c2de721f1241da6aaf7c5584162fd.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD59ea83111253838ac029211df562cd717
SHA1e1ef851cb46bb7423ac785f1d4846acc9684b2cb
SHA2560efa295ce1104489bdb0c76b190b097bc7f804ee89063c83ea49195197cc960f
SHA512345b5ba15514868ba9263755d38b39485d4b8140ee828637b0f1eaa6fca901fa592c79529c384dbc91394829259a2ee065a2d18e894e5e480b71cee7daa8c786
-
Filesize
114B
MD5aac8832e48935f29c0dc7c5378817173
SHA1b779d0fdb8376c8896472feaa0e1c070b1a5ad43
SHA25656b9396213a9c05b8d0c367edd100fc28759eb673208211b03cf26c6699659f3
SHA5121fd8ffce978e81072f15a9f5f6687c294b81683b9b060579af5bb568f687e3d3766675ab4db354778cf16893dfa09944b899f2fb15f52b7568e8277c06858d7f
-
Filesize
14.0MB
MD54ca77528260504fc7b801d0ec3b6f54a
SHA174b72e3bb9162bc79f70d4e53ba6c8dc3401cbaf
SHA2561cf25030d3f84bd983227e07e246e5f2c9bc0e9996577a9ddc5ce589e53652b0
SHA512d886c6a4bc810e00f957b413d826f168f96e4632fa4bf985cda0e80dcc6715ada05c64213659c9bbb6e34c7ee558c6b8a3ad4a16b170bf3d1c195be215a5d254
