Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
12/07/2023, 06:53
Static task
static1
Behavioral task
behavioral1
Sample
nun.jar
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
nun.jar
Resource
win10v2004-20230703-en
General
-
Target
nun.jar
-
Size
49KB
-
MD5
1ec26b2e83ccbffc6a8552d92d99a0da
-
SHA1
0158ee62d67584fcf1fe3d9665325762fbb1ee6e
-
SHA256
f3980210a51b33547b4fec31f77458036247dfcd12baca421eedc6bd4761aecf
-
SHA512
43d04bb614e170d3eda83d1783dbc58148b863e0c98cb10293c7a31bcae92ebdf55ad1a583336fbd005390d6fca13370f7a64a8b4a266f0d2aad53119aa01ff9
-
SSDEEP
768:BMoaNhfb2Ru7DBIJ/NxkRs8FmVyx468Bx7d+niXvh5913LQ5ip3+QEsZLHJ+x37M:EbyatImEZYENbQixEs5HJOI
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2268 attrib.exe 2232 attrib.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\java\\java.jar.7BW\"" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\java\\java.jar.7BW\"" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\java\Desktop.ini java.exe File opened for modification C:\Users\Admin\AppData\Roaming\java\Desktop.ini attrib.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\tem java.exe File opened for modification C:\Windows\tem java.exe File created C:\Windows\tem javaw.exe File opened for modification C:\Windows\tem javaw.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 3048 reg.exe 516 reg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1656 java.exe 584 javaw.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1656 wrote to memory of 3048 1656 java.exe 30 PID 1656 wrote to memory of 3048 1656 java.exe 30 PID 1656 wrote to memory of 3048 1656 java.exe 30 PID 1656 wrote to memory of 2268 1656 java.exe 31 PID 1656 wrote to memory of 2268 1656 java.exe 31 PID 1656 wrote to memory of 2268 1656 java.exe 31 PID 1656 wrote to memory of 2232 1656 java.exe 32 PID 1656 wrote to memory of 2232 1656 java.exe 32 PID 1656 wrote to memory of 2232 1656 java.exe 32 PID 1656 wrote to memory of 584 1656 java.exe 33 PID 1656 wrote to memory of 584 1656 java.exe 33 PID 1656 wrote to memory of 584 1656 java.exe 33 PID 584 wrote to memory of 516 584 javaw.exe 34 PID 584 wrote to memory of 516 584 javaw.exe 34 PID 584 wrote to memory of 516 584 javaw.exe 34 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2268 attrib.exe 2232 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\nun.jar1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v java /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\java\java.jar.7BW\"" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:3048
-
-
C:\Windows\system32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\java\*.*"2⤵
- Sets file to hidden
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:2268
-
-
C:\Windows\system32\attrib.exeattrib +s +h +r "C:\Users\Admin\AppData\Roaming\java"2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2232
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\java\java.jar.7BW"2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\system32\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v java /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\java\java.jar.7BW\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:516
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63B
MD5e783bdd20a976eaeaae1ff4624487420
SHA1c2a44fab9df00b3e11582546b16612333c2f9286
SHA2562f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3
SHA5128c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80
-
Filesize
49KB
MD51ec26b2e83ccbffc6a8552d92d99a0da
SHA10158ee62d67584fcf1fe3d9665325762fbb1ee6e
SHA256f3980210a51b33547b4fec31f77458036247dfcd12baca421eedc6bd4761aecf
SHA51243d04bb614e170d3eda83d1783dbc58148b863e0c98cb10293c7a31bcae92ebdf55ad1a583336fbd005390d6fca13370f7a64a8b4a266f0d2aad53119aa01ff9
-
Filesize
13B
MD5d205ca25f16962add95e7dbf9fc77805
SHA143f8a51b1158aa963ad7a0135358505482cc3364
SHA256465566ae005c236b8985fb4929ba3169685808c55da20b4baf1e82506a491cc3
SHA5129b12e8eeafe0192bba2d72704e853b211f8046f1ccb05bf0e3bda79ef30fa533e2db7e49fbc54c77345412eebdcf76d6f5b8831c71eb98b505f9079d6d57f131