Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

JaffaCakes...c0.exe

windows7-x64

10

JaffaCakes...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2025, 04:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_36dd0b35f717a6c103d37fb43fca54c0.exe

  • Size

    369KB

  • MD5

    36dd0b35f717a6c103d37fb43fca54c0

  • SHA1

    45a09caacd3cdea944840d493d9457e84d44ab4d

  • SHA256

    3dbfe53c49d06de30219517e2e17a552f579eb70065e75f978674f1aa372bb92

  • SHA512

    cc7ed329e6dbe6265811611c47c08afbaf030e9e3660bb6682186dcd4f4173dafa67f8c64bc644f6670af52e6ccc35339cff93af0eb4c6f755a275dfe4fda2f4

  • SSDEEP

    6144:esIs6nW8gXBTyPRqyhYPbHcTBlhHrQndnkv0wnudcmfSIAHm9YN5sP3ZxDnLvMwb:TKW8pJq8YPbHcT3bdn6ccK+zThCw

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 10 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36dd0b35f717a6c103d37fb43fca54c0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36dd0b35f717a6c103d37fb43fca54c0.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2400
    • \??\c:\users\admin\appdata\local\giwytxmuiw
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36dd0b35f717a6c103d37fb43fca54c0.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_36dd0b35f717a6c103d37fb43fca54c0.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4896
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3656
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 1080
      2⤵
      • Program crash
      PID:3020
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3656 -ip 3656
    1⤵
      PID:1168
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1184
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 1104
        2⤵
        • Program crash
        PID:2464
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1184 -ip 1184
      1⤵
        PID:656
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4584
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1108
          2⤵
          • Program crash
          PID:1740
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4584 -ip 4584
        1⤵
          PID:3244

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\wxiE6E5.tmp
          Filesize

          172KB

          MD5

          685f1cbd4af30a1d0c25f252d399a666

          SHA1

          6a1b978f5e6150b88c8634146f1406ed97d2f134

          SHA256

          0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

          SHA512

          6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

          Download Submit

        • C:\Users\Admin\AppData\Local\giwytxmuiw
          Filesize

          24.8MB

          MD5

          30a119ed029f2796159cb14f043c15d8

          SHA1

          bfaf0555ad9c3a09e81e36f46fadafd38ea1be80

          SHA256

          3f33a64ab58fe9992370ca4b4fed285ec499e55fe152a5026a7272f6f7792f50

          SHA512

          7754d30c73d0be68f467462b0c89d83244e5356b240b7cc7e01c058e8aa9eebc1694ab6fbb07571f30f2777a30691c1c8d54469c7aca2c94ab864027de594e61

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          198B

          MD5

          f6668714112ba2683daa583516cdd6bb

          SHA1

          0a0c862cc67a33755c3241263a042db19bf09f43

          SHA256

          ed46a14e6db18314b8720240f00810db4b60d7eb26736d7620b23024efa58c1d

          SHA512

          5c2c4245686e1de64f45941777fead84bb0965b86fbffc1b78aee6a0e2839af885ff8193863764b6ee670e6b3fa600aa0de53ea32f10c406cd6812126d639d1b

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          297B

          MD5

          bfd3f5d8d0bc44c4203f189aa00ef482

          SHA1

          bd42fcc09ad9a405a3d35a654ab2008859036ed2

          SHA256

          938ba90eab6ce76c2c25a1d2b790c7092ba5e7d1b8c0f128b40db5c05b5c352d

          SHA512

          ff61df99ca6abb3ab6907200cfcfdfed9e01402fba9e1acacfe919c8d21015412f522a52a1dc6dfa475ecebd1a875b8053f936ef7b47abc5a1f3499f3acba690

          Download Submit

        • \??\c:\programdata\drm\%sessionname%\ljeux.cc3
          Filesize

          21.0MB

          MD5

          1801a6f16149de255712c306ceafabaa

          SHA1

          13b74806bb3e9a58ce90a302e7459bd7b8d1b8a5

          SHA256

          11c8176e5daf2963515ff6e42983a0f1a889762e45dfaadfd3f5649ca1977c83

          SHA512

          7be9767d4b8210e91c68d5bd53e32fc1bea63525d78cb86b7705553c3db0a05619dcd65c9e90d4f1be5a1024c78c08c1d37b86ab02657ab031ba78f59fab2396

          Download Submit

        • memory/1184-40-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/1184-37-0x0000000002000000-0x0000000002001000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2400-6-0x0000000001F50000-0x0000000001FC3000-memory.dmp

          Filesize

          460KB

          Download

        • memory/2400-24-0x0000000001F50000-0x0000000001FC3000-memory.dmp

          Filesize

          460KB

          Download

        • memory/2400-18-0x0000000000400000-0x0000000000432800-memory.dmp

          Filesize

          202KB

          Download

        • memory/2400-9-0x0000000000401000-0x0000000000402000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2400-0-0x0000000000400000-0x0000000000432800-memory.dmp

          Filesize

          202KB

          Download

        • memory/2400-8-0x0000000001F50000-0x0000000001FC3000-memory.dmp

          Filesize

          460KB

          Download

        • memory/3656-35-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/3656-33-0x0000000001AE0000-0x0000000001AE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4584-42-0x00000000016C0000-0x00000000016C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4584-45-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/4896-32-0x0000000000400000-0x0000000000432800-memory.dmp

          Filesize

          202KB

          Download

        • memory/4896-31-0x0000000000590000-0x0000000000603000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4896-26-0x0000000000400000-0x0000000000432800-memory.dmp

          Filesize

          202KB

          Download

        • memory/4896-25-0x0000000000590000-0x0000000000603000-memory.dmp

          Filesize

          460KB

          Download

        • memory/4896-15-0x0000000000400000-0x0000000000432800-memory.dmp

          Filesize

          202KB

          Download