Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

JaffaCakes...31.exe

windows7-x64

10

JaffaCakes...31.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2025, 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_6228e0bddca6629b077ea340bd142f31.exe

  • Size

    95KB

  • MD5

    6228e0bddca6629b077ea340bd142f31

  • SHA1

    2c03ff3ed68866a2829e1fa46570e0955a385225

  • SHA256

    38d9dfa2cbab55f4d4f182dd68a85c941e26d6484fd3d1952c7ad81c37f53928

  • SHA512

    3180a05f1ad6129fe1276a904795d08b759f9bf097af45a6a122f3c027e99ccfa9d1303365a84fd1cab9f71bc62f3969e0a06a972c30358f14d086513aa433e9

  • SSDEEP

    1536:fHFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prnMW5mb5EOc:fxS4jHS8q/3nTzePCwNUh4E9nWbGOc

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6228e0bddca6629b077ea340bd142f31.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6228e0bddca6629b077ea340bd142f31.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1216
    • \??\c:\users\admin\appdata\local\fcsgbrouyx
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6228e0bddca6629b077ea340bd142f31.exe" a -sc:\users\admin\appdata\local\temp\jaffacakes118_6228e0bddca6629b077ea340bd142f31.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1844
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1040
      2⤵
      • Program crash
      PID:3308
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1844 -ip 1844
    1⤵
      PID:1884
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:848
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1112
        2⤵
        • Program crash
        PID:900
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 848 -ip 848
      1⤵
        PID:2712
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3548
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 1060
          2⤵
          • Program crash
          PID:3444
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3548 -ip 3548
        1⤵
          PID:3592

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\fcsgbrouyx
          Filesize

          22.8MB

          MD5

          32951035bb6be446e5f3ad7cb911b70a

          SHA1

          71d445f31dc37ebd28bec751d93792e3012eccf7

          SHA256

          e5b74b17ec55e599a66fcb0c85fe2f6dc28351c60fb108ce15ce1e4a90c1164e

          SHA512

          a80462da21646f76b12d6ff176647af6ceb7bdb8c39ee03d5ed344693ee06f4fc943ca55f5045bc7f1779e90f358c743687636682e7ef8ad77d60d55f652ba5a

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          202B

          MD5

          5dc0b7fcba5abd09d89adb31946d038d

          SHA1

          c5873a0b2259e65d7d9198549f329f3f1c9c93b2

          SHA256

          165a1f1b619124d0bc88a0cf23bda5c9e4d27cf43315da2e3cf727b2988beb52

          SHA512

          89287feb0455cbdcbda46401efb0cd03eea4952d6ce49a30988bda78e379d1e87c14d12c4d8cd0801307a406759076d9c81f6d73be085e165500da8548bc1b4d

          Download Submit

        • C:\Windows\SysWOW64\svchost.exe.txt
          Filesize

          261B

          MD5

          a48f59fdb1da58b7327e39e2975d52da

          SHA1

          fc4c58102fe0c0df94fb606c84982a19d06da918

          SHA256

          fdc9fee6275190cbc96490cf1c6c4a1ffd59f7f97d3ff32cb6054171b63d93e8

          SHA512

          bb06f658ccc5a5688e4fec35f3663a02afb8ed0c67a0fb93d04102a44558a9be08d117a5cb2c8c9dd9b9e7539f8f3bc34ad99ba7718cb9f6c46c9a2b8e15264c

          Download Submit

        • \??\c:\programdata\application data\storm\update\%sessionname%\bcqhd.cc3
          Filesize

          19.0MB

          MD5

          0052dda3b861aeac320b07460555ee28

          SHA1

          bee949471f89e02b4fc4fbe7af375770b62ac6a5

          SHA256

          b12430c6e3dc1832ec7512cbcda0a36fb75f821af1d22fbb56d0e3d453cb813a

          SHA512

          3410cc3eac7b1c4fcf8740d28f84221feb43d73e052cbe27f8d9768ca931d21f1f73d5b1fe34bb0b9f714b6a2e3acfd7215537f8ac6da2d76d269142f5dbbe7c

          Download Submit

        • memory/848-25-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/848-22-0x00000000017F0000-0x00000000017F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-11-0x0000000000400000-0x000000000044E348-memory.dmp

          Filesize

          312KB

          Download

        • memory/1216-0-0x0000000000400000-0x000000000044E348-memory.dmp

          Filesize

          312KB

          Download

        • memory/1216-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1844-18-0x00000000019F0000-0x00000000019F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1844-20-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download

        • memory/2496-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2496-17-0x0000000000400000-0x000000000044E348-memory.dmp

          Filesize

          312KB

          Download

        • memory/2496-8-0x0000000000400000-0x000000000044E348-memory.dmp

          Filesize

          312KB

          Download

        • memory/3548-27-0x00000000013F0000-0x00000000013F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3548-30-0x0000000020000000-0x0000000020027000-memory.dmp

          Filesize

          156KB

          Download