Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
01/03/2025, 19:13
General
-
Target
JaffaCakes118_3aff15c668057f327358fc546dfaa92f.exe
-
Size
139KB
-
MD5
3aff15c668057f327358fc546dfaa92f
-
SHA1
98e4a0b9dede20504e24da08aadb898caeec363d
-
SHA256
20a5c23e7dddbab446df0d7d6b9eaa2c54687d9050841cbb2305ad98814bac0f
-
SHA512
74e849d2b1f9d9a197bace710435932fb13c6dd3b4516f241f5b79061f6e326200908d998e41b71de10787a900d7f355fd640f0079b88eaf7667355936e07e04
-
SSDEEP
3072:T7WLeYPiFfs8qr+Nw7h+Feu4g8qbACPAKJrF3MIOo47u:TVs8qVTohAM1lKI7c
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3aff15c668057f327358fc546dfaa92f.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3aff15c668057f327358fc546dfaa92f.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
131KB
MD573b5d4d05e08214936f908cea771a814
SHA1a6dd98582f273ba0592665544fdb8cfaa1f303a6
SHA25679276446b2ecac6cf6563e4669f9cbed8f1b2507a471200242c317f17a719db4
SHA512f5d163dac76107b71ec65aff1d2862cbf868b863509d3ccd110d588af384f4b4f357277576f7464220ab58eab9724ebf79537ca0dec168c97f7a833bb3303331
-
Filesize
98B
MD5ed710e4c9956bfff779b1e4d30de90d8
SHA128ebfe85df1abb712c3474aca8178692146618a3
SHA25615f90ce4b2f3ab5062d96282a3ada8a96ce56a6fd23334d4ae169e97cd4efe74
SHA512792a2e08bd5da35479acfe7d6b8fab8e4a18443ed91b58254dfd0500bed44b537008328d4232b8cc1d8e201bbdb3b94f3f0a59121fae43e424ba3c8058c43f51
-
Filesize
12.3MB
MD58d6a89c4affac4b74161c050fc568431
SHA106fd6ff25fc29d2c30352d59f5f9e61a06137a58
SHA2565ca82c46fd093d16244a3370d40cef59efa18c8eb3037fcb3f1756f03abc419f
SHA51296098d843ffbb4392c492099bfde5006ee4e069e8462c80a6dda3cf5a85d8fb1075cdbb9462c02a85ef5a1e257409d9f4d101fb4747e75361df81af16cdef761
