Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
11/03/2025, 06:07
General
-
Target
JaffaCakes118_63a2547533c64aa86f3c9583696cad26.exe
-
Size
134KB
-
MD5
63a2547533c64aa86f3c9583696cad26
-
SHA1
b08f234c30e99beca3e4ef5652e2b95d53d19a89
-
SHA256
55022431cb92d5ca852d5bc209253ea8be1451f90119e0758323064c6e9cd137
-
SHA512
7811d86989768d949e8e0fdc447ea86a70b9d3772ea05a2857f31cc765ef7c720e79ef71d109405beb6db196edbf9734ecb3307ede1cae2f7a74063cdfaf9aa1
-
SSDEEP
3072:CMwZSQpKa3VGVnpUlCz764/9xpEEBqbZuwh5iGHeqovv:C3JVGpxx9b3wZuwh4GHeqo
Malware Config
Signatures
-
Gh0st RAT payload 2 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63a2547533c64aa86f3c9583696cad26.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63a2547533c64aa86f3c9583696cad26.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k imgsvc1⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD54a1a3c867f9909a118b1cd3229f8d9e3
SHA1c1d09f6ec848bbe50608923bd3d185b0dd585a9c
SHA2563415d5a6242e7528ee357fe025512feb64fa0d08b351f9171b7fbc8e23b46128
SHA512278ce3e1b69c77c8f6fc8f8e1e9e41503b466853beeec83330e4213e9402dae63584ff29bd84a8667d12d174ef852c36848c07d9c00d6d7c4fc9ed9f8234267c
-
Filesize
98B
MD5ff0128d9da0fdd3bca8e1bf893e98938
SHA1c72a615f2292813f7bdd4b4c2e3b73c25a8761e1
SHA2564d5a75cbb65e1f09fa3cc357e37411a68dcfc56fd74851dd590f73c84161662e
SHA512a11d27de3341072eaebb5e3acdf7de43049431344422a727a0966a96e499e83c1374fbeb25189b7d1e282662181ad54427a2e5b58c9b801fed9dfa8b82f95788
-
Filesize
17.6MB
MD5e3b59090c9bbdc5245196786b7226df5
SHA10703d77ce23d295eced8475d6eca16c34a07d7b3
SHA2563384ff8c36cf5d5ca8e1048666bca2c823fd545dc77afddcb0cd294a48e23bf2
SHA5121ba873c97e6ca9e63d37098f7005f3f2ba460496977f9b7c165cfdc3fb3109c9966ee5803125fd206defec5a9bab497375b97576266b9617c280167133a9b7c1
