Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

JaffaCakes...26.exe

windows7-x64

10

JaffaCakes...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2025, 06:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_63a2547533c64aa86f3c9583696cad26.exe

  • Size

    134KB

  • MD5

    63a2547533c64aa86f3c9583696cad26

  • SHA1

    b08f234c30e99beca3e4ef5652e2b95d53d19a89

  • SHA256

    55022431cb92d5ca852d5bc209253ea8be1451f90119e0758323064c6e9cd137

  • SHA512

    7811d86989768d949e8e0fdc447ea86a70b9d3772ea05a2857f31cc765ef7c720e79ef71d109405beb6db196edbf9734ecb3307ede1cae2f7a74063cdfaf9aa1

  • SSDEEP

    3072:CMwZSQpKa3VGVnpUlCz764/9xpEEBqbZuwh5iGHeqovv:C3JVGpxx9b3wZuwh4GHeqo

Score
10/10
gh0stratdiscoveryrat

Malware Config

Signatures

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63a2547533c64aa86f3c9583696cad26.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63a2547533c64aa86f3c9583696cad26.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2412
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k imgsvc
    1⤵
    • Deletes itself
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\1293000.dll
    Filesize

    101KB

    MD5

    4a1a3c867f9909a118b1cd3229f8d9e3

    SHA1

    c1d09f6ec848bbe50608923bd3d185b0dd585a9c

    SHA256

    3415d5a6242e7528ee357fe025512feb64fa0d08b351f9171b7fbc8e23b46128

    SHA512

    278ce3e1b69c77c8f6fc8f8e1e9e41503b466853beeec83330e4213e9402dae63584ff29bd84a8667d12d174ef852c36848c07d9c00d6d7c4fc9ed9f8234267c

    Download Submit

  • C:\Program Files (x86)\Uajw\Qobymsdiq.bmp
    Filesize

    11.8MB

    MD5

    913d0936156acc4a9737990c8f29786c

    SHA1

    b274eba4d4c1368de7a1b10d5b237ba9060b53c4

    SHA256

    50b8d53ee0c274038167e823d9f7f68f454fe5fee454b60f2542d0dde74b1726

    SHA512

    c8a0c2eee988988927ba7b6709bf6c90ed222b97cb155346a078682206ade5ac3db560d6c0de18508e5af2930db0a535f5b3d6de0492435d1c8eb77e8f3aa9a4

    Download Submit

  • \??\c:\NT_Path.jpg
    Filesize

    99B

    MD5

    e2b50d2f74bf4249bc1ff0e39a8e4c05

    SHA1

    4d85a8f8ea587cebc0859ec282565f4f6c92f55f

    SHA256

    090fde69e74e33bc365ac9b3c0e117d85e203a6331e7201e57af6528a9a942bf

    SHA512

    87f70db1ffa0a26283eac10f90d8dbb35866551c3f0ff281b5914b13b87f821f26f9aba136bb15dca6a51f6b9ac1f759cd5bf2c39c5df055737fc87b15b0cc39

    Download Submit

  • memory/2412-9-0x0000000010000000-0x000000001001C000-memory.dmp

    Filesize

    112KB

    Download