Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

JaffaCakes...55.exe

windows7-x64

10

JaffaCakes...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2025, 04:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_31964dfdd7e07e2193e2e1476a64b755.exe

  • Size

    136KB

  • MD5

    31964dfdd7e07e2193e2e1476a64b755

  • SHA1

    fc26d0420fa5abbf8389a3a565e00f6b501b1389

  • SHA256

    506bb631d0cddd36b722c2bd5c4e1ada1d73f9e3d2258d55225094dadb83487a

  • SHA512

    8f99b71ab81763ecb251fc72ba04c1365437a1aa270f5026f1888887877e7ea381086e2ab114d2d4d92c1366ef93f99dd5870eb5e269e352780978ae3cc3121e

  • SSDEEP

    3072:s5xufj+3Ok4yewwA1ZuovQX+I+6gbPfPiHkoBnGkypCwSR3apG+:4RxABOI+FTPMZnGkykwMX+

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31964dfdd7e07e2193e2e1476a64b755.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31964dfdd7e07e2193e2e1476a64b755.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2344
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2953800.ini
    Filesize

    113KB

    MD5

    2c6fad20eacceaf3d7e3e532e5986e32

    SHA1

    3a353942f94834cba25227ec4bf0e88617561b08

    SHA256

    28e07be656059d7e08cba40e5c1961afb52459b6de5b1294b5b9031d3a598bd6

    SHA512

    717f386285c48a439bc5d112f8afc78b41c326fa0075e01e3f530be266506c47efa53348535d8e0b71243efcb2c5b20eb6c18488d31f980e1303338ea5f40cd9

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    99B

    MD5

    6ecbca4216cb5dddbbb6d12a8c3032cc

    SHA1

    3b53275871f09bd0f537b3975bcca75496a313f9

    SHA256

    d32aeaa63370a76f482401ed2b6872fd86f7830dc72e80292dc08cbc859afee5

    SHA512

    2060ae67dd6e98a497e4f2de7d24c1dd75141c0be3a5ca27decbc9120ae7e4f2fdb6095345b5c1750947d6e5bb1aa6e259c6c99a51d4ec3ce305b1e38fa2f2b2

    Download Submit

  • \??\c:\program files (x86)\pwyj\enwhnhfhs.bmp
    Filesize

    4.4MB

    MD5

    69a86ffce6c92ef3454a2c57f121786e

    SHA1

    d7a110c95812d94f5c33a173494e61e5137ed2b0

    SHA256

    e015131756bb754225247392b86073951b965c4f78cd3ce404e41b5db2a5e839

    SHA512

    ebec0cc638d15612fc98bb4ec845af9db4ead21d80e4de2b701b6694aa4b59610fa3e8b3ee6e80354c20058d0297e12ac621807be1fa6964d72c1b20745f013c

    Download Submit

  • memory/2344-14-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download