Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
28/02/2025, 05:33
General
-
Target
JaffaCakes118_31ed8ac43646906c48a9516719ac9a1f.exe
-
Size
184KB
-
MD5
31ed8ac43646906c48a9516719ac9a1f
-
SHA1
7902a74914bae35cf3259f3e16ee8be2eb5c7ed3
-
SHA256
18696783f2951aa9fc8f6136e5f911a5e6eeac776fc56f7832e80ec85e9247f0
-
SHA512
a8ec1a09324350f92bb6782c9c420876d5b4e16471bbe57c51c3eec7a9de3785d6c8f1f6c47eee06e8115c15a4406400f894562237972bd4150c1303fff795a6
-
SSDEEP
3072:yvUHexyY1tYVvh8Q3aHS4ktdH5lfZbh0tt2/Y4xeIKhYOZLwAe6cQPYo3uJBAyTu:yUSxkayjdZ1ZbWi/vxrK7ZLwzYv3+q
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31ed8ac43646906c48a9516719ac9a1f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31ed8ac43646906c48a9516719ac9a1f.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD5bb0ea38f8cc26f2181cbfc153c975917
SHA1d0f9e93ab7db34683fa5aaee0894592918ad7f4e
SHA256fb9f718455eda790269e5ef7c49dbff16b4097f78609b7a5ea02d6b03742906d
SHA512b9d3fd96d6226d3038df1d11d00f7e1156b3ad302e7e4dd57f39dc0faf4fd3004379f0819d73ef7d62aa4d858679e20d342f5e06c5095c0310ff4a0e6a6254ce
-
Filesize
99B
MD535d7094e54c22b43b4f9c181ba1e6cb7
SHA1dbb6b3d3536d236e6616c2b4a62635d0a554c1ce
SHA256f02ea2356ce710fca8d223eb1a3181c6189ac4e9a2a3fe0b46def7ef6232d0ad
SHA51234ea740e314a679cf46bb6e7ef5905e68d5ff6de362e5e9ddc789af006c11d24d9a7618494a10be97ca20ad96b9e3b8cb472deba833afc824760bc6bfd9d9382
-
Filesize
17.1MB
MD51437d41b489a1ee860981a46a8cc25a3
SHA12453c6839895173b9e64c68b20cee08737c28453
SHA25641a95f1f2a77953c2cc92a8f6bda183dafe1b13c6676eec7c7d781f8ae307ea3
SHA5126433ae1761288b866ddbb4a0cb699a631e88332331dfa03ae623df4f3ad9be38bbfe0c98ff81e239f57c662ff9d8ec2903221ecd3d5c9d1770f4442f78421154
