Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

JaffaCakes...7b.exe

windows7-x64

10

JaffaCakes...7b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    01/03/2025, 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3799b16d1a28b031cf761ac3b2539d7b.exe

  • Size

    196KB

  • MD5

    3799b16d1a28b031cf761ac3b2539d7b

  • SHA1

    d568cac4c45dd3c0cc46051edb9949a48cf7a26f

  • SHA256

    018a11878b175039255fafc575acffc59dc0620ade4f4c6ca38ec11b01317cf4

  • SHA512

    5b4089bfd2ac5d5acba1a2cf666a40b8d1ee6d7947132fe48b9be32e82e62c510ec222f01a4c426c2708d30631810850bf5b88c2b6fc2a4dd99e8d55849ba59a

  • SSDEEP

    3072:+eMWMcMgoEt3zk9z4Uh+yQAbAbu7NWtMpebimeN7kgMwzi/HPeqov:+ekcw5DTQAbbMbxg7kVwzSeqo

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3799b16d1a28b031cf761ac3b2539d7b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3799b16d1a28b031cf761ac3b2539d7b.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2540
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\NT_patH.bmp
    Filesize

    99B

    MD5

    b38ce2194563d5b9e32243f89b407e33

    SHA1

    6874477356f52a16b1374d9f48236dcd38090aad

    SHA256

    39b6b0078976ed534802e4090a9bc6469ffb21d35ab368e2c66bf0b59e4af84d

    SHA512

    f90912a093d2db943b24b5e6c45aa92a6e2bc4e82188eadd615a23f8c8c1c298978e6b1842220eadf56bc8ee3d498a564be7c2666eba7868b6970bae64050ce0

    Download Submit

  • memory/2540-10-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2924-13-0x0000000010000000-0x0000000010020000-memory.dmp

    Filesize

    128KB

    Download