Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

JaffaCakes...2f.exe

windows7-x64

10

JaffaCakes...2f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/03/2025, 19:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_3aff15c668057f327358fc546dfaa92f.exe

  • Size

    139KB

  • MD5

    3aff15c668057f327358fc546dfaa92f

  • SHA1

    98e4a0b9dede20504e24da08aadb898caeec363d

  • SHA256

    20a5c23e7dddbab446df0d7d6b9eaa2c54687d9050841cbb2305ad98814bac0f

  • SHA512

    74e849d2b1f9d9a197bace710435932fb13c6dd3b4516f241f5b79061f6e326200908d998e41b71de10787a900d7f355fd640f0079b88eaf7667355936e07e04

  • SSDEEP

    3072:T7WLeYPiFfs8qr+Nw7h+Feu4g8qbACPAKJrF3MIOo47u:TVs8qVTohAM1lKI7c

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3aff15c668057f327358fc546dfaa92f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3aff15c668057f327358fc546dfaa92f.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2072
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\2775500.dll
    Filesize

    131KB

    MD5

    73b5d4d05e08214936f908cea771a814

    SHA1

    a6dd98582f273ba0592665544fdb8cfaa1f303a6

    SHA256

    79276446b2ecac6cf6563e4669f9cbed8f1b2507a471200242c317f17a719db4

    SHA512

    f5d163dac76107b71ec65aff1d2862cbf868b863509d3ccd110d588af384f4b4f357277576f7464220ab58eab9724ebf79537ca0dec168c97f7a833bb3303331

    Download Submit

  • C:\Program Files (x86)\Bwxy\Gwxyabcde.gif
    Filesize

    155KB

    MD5

    be7ce67af1cd67b98629afcf5d4ff254

    SHA1

    f68e2711014266256bf48aaf2d047cff9b93e772

    SHA256

    6c448beba3fd44e6eb54026e6b1f26b5e4b595271311935f18e5ddeec6956bb3

    SHA512

    52ecb451a14b38f6f470c15cfa16f9ec6ff67fdd7b5760cd6f13709092adc18d8389255dd65ccf453dc9112fa2056a5e25deefdff7cc82e35c4c4c5aefb4a7f0

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    99B

    MD5

    d07e11a6f670a20bf775ef3912086510

    SHA1

    43766674ccc01b4c32cc905a7b119274cd9a042a

    SHA256

    6550cb28a92afb8311a86df0c8404025812b02214c060c3709ee846dbe57ef18

    SHA512

    7b872a9643689745549858dd3670f99cf52dd8029effcde45d5caecde7bda44509daf871532fbf5ecb1c2673fb570ba865ff3c8ede05d8693ab2ef1fb8b2ca4b

    Download Submit

  • \??\c:\program files (x86)\bwxy\gwxyabcde.gif
    Filesize

    12.0MB

    MD5

    4c609d1689c11242920af7ece01b8287

    SHA1

    d0d3274df7c9de349d18632d407ac0845b47f238

    SHA256

    8b3adaf070f2d3023d10e5cd4847cd5e9a416801424469c8cf43934b1e6858c9

    SHA512

    e373cceca1d367ca0f3427cee52d5fe89dcab510d526d0cf092badcf47f497877efd2e7aef30975c216dacd189e6e673105dd8408297813ca815f061377b8417

    Download Submit

  • memory/2072-9-0x0000000010000000-0x0000000010024000-memory.dmp

    Filesize

    144KB

    Download