Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

JaffaCakes...ea.exe

windows7-x64

10

JaffaCakes...ea.exe

windows10-2004-x64

10

20118404441.exe

windows7-x64

6

20118404441.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2025, 18:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_66a3465502ceef6514b81cda65af97ea.exe

  • Size

    88KB

  • MD5

    66a3465502ceef6514b81cda65af97ea

  • SHA1

    dbbd91bd4f5d6dceb9c9fcb7a2cfe37033679fc6

  • SHA256

    7ab5a4963454c799cc1149b38d9b26fa816cfdf938169879b431723f863a44d1

  • SHA512

    60a0fee518ea398651f232e76e668b2dc09d83cfe6a14cc83bcfb873c318e35bee47ec4ba3d3f68991d5baa41fb8a621d662fc87fc6de60a3df5cb2701bb31b3

  • SSDEEP

    1536:ALXB65939tY6HBg4sXJXivNF3NT9672dY7LVF3+PwiFqIbdwV4HRwBxya:ALk395hYXJyFpVSTz+NdwyRQca

Score
10/10
gh0stratdiscoverypersistencerat

Malware Config

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66a3465502ceef6514b81cda65af97ea.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66a3465502ceef6514b81cda65af97ea.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\temp\20118404441.exe
      "C:\Windows\temp\20118404441.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 "C:\Program Files\MJ001.INI",MJ001
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2784
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\Temp\20118404441.exe
    Filesize

    152KB

    MD5

    76d4be5325ab30c36a17d59058a49784

    SHA1

    94c9e0f84cebe4f418c0e9fd968f8e4b7d5ff300

    SHA256

    15a152afd9e625e11962c53a7a2c67777df7b5f313d1d22f9f16888f41618328

    SHA512

    75f5ce2b0f65755f93fd9d50121c172e209597d781c5b6ec020b2593ec9654f3199e243df5c8c5c5d23daa00fba4e42e186e5ff0e80b9c7c4ca156dae7fee55d

    Download Submit

  • memory/2604-1-0x00000000004B0000-0x00000000004B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2844-2-0x0000000000160000-0x0000000000162000-memory.dmp

    Filesize

    8KB

    Download