Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
28/02/2025, 04:30
General
-
Target
JaffaCakes118_31964dfdd7e07e2193e2e1476a64b755.exe
-
Size
136KB
-
MD5
31964dfdd7e07e2193e2e1476a64b755
-
SHA1
fc26d0420fa5abbf8389a3a565e00f6b501b1389
-
SHA256
506bb631d0cddd36b722c2bd5c4e1ada1d73f9e3d2258d55225094dadb83487a
-
SHA512
8f99b71ab81763ecb251fc72ba04c1365437a1aa270f5026f1888887877e7ea381086e2ab114d2d4d92c1366ef93f99dd5870eb5e269e352780978ae3cc3121e
-
SSDEEP
3072:s5xufj+3Ok4yewwA1ZuovQX+I+6gbPfPiHkoBnGkypCwSR3apG+:4RxABOI+FTPMZnGkykwMX+
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31964dfdd7e07e2193e2e1476a64b755.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31964dfdd7e07e2193e2e1476a64b755.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD57c9e6c801c7cd892f5f0f478632201ec
SHA1619959e405ab39c0388e3e6591d82160b1a8df43
SHA256deaf27ac9eebd67920c8d4da286b8dd1d73447dbba0650ac22f52a191a6e9eae
SHA5124d51b8d5cc84abc39f5172b8c48494e8ad5589ca8aab84b66ded61fc0379b627623cd2ff9a7ad77e68d634da57a6490627594e227c7e0369662f16dff7d8845d
-
Filesize
99B
MD52264a47c0681314df28ffca38cf04111
SHA150ba51f9b2f7b2aa373e16928a843f67e0c29e9f
SHA2565ff6a64d06af0639d83a92afea38b4ac379adc92d77fa9048f921326427fea76
SHA51211d3e35b3ef4af8930026e11ee095bbbd037296cc5ebf5bcce0edbe978b927017e2a1c43bd15939a56e9b2dda8c0261e435a2e7d5701eb9e7452a6d369c0d6ca
-
Filesize
8.3MB
MD5c0d54ba35a751eeec53b9f78878163af
SHA132fc3decc6b04d20a54d31b90631a2ecc97f8d9f
SHA25695c7c51a7beed22df8d864f893e2376f86b2e3369b8b23212727eb09eb3d2145
SHA512d45ed66603d15b761d5d34c84136c1d50bd5a7d314c991d6fbf09e2960304baa72beebd78ed289da3ef962c6d205334e5fc2177d05ac8e59a0c18023ee0c44ec
