Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Server.exe

  • Size

    93KB

  • Sample

    230723-1sqyvsgh63

  • MD5

    57e1aae72406aecb9418ea6b9900d24f

  • SHA1

    b1eb7cf67e69c5ecaea4df806d5e17913485c048

  • SHA256

    baa50398d0c735b6f72a76093ed875a27ec9d60d900ecd50d396f5bc2bdf9cf2

  • SHA512

    1937e3b729ad249f7e0c0ea3ad11d2af6bd6f237833d4779d8a758ae307c76b9b8c2b47910c42f3228411695ba5a4c0a78cab2c8e8693d342750f2495cf20196

  • SSDEEP

    768:OY3rUnD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk31sGS:tUxOx6baIa9RZj00ljEwzGi1dDFDcgS

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

hkmtdr.ddns.net:6522

Mutex

3fe8a9a3f17c479411fdaf6e87365c0c

Attributes
  • reg_key

    3fe8a9a3f17c479411fdaf6e87365c0c

  • splitter

    |'|'|

Targets

    • Target

      Server.exe

    • Size

      93KB

    • MD5

      57e1aae72406aecb9418ea6b9900d24f

    • SHA1

      b1eb7cf67e69c5ecaea4df806d5e17913485c048

    • SHA256

      baa50398d0c735b6f72a76093ed875a27ec9d60d900ecd50d396f5bc2bdf9cf2

    • SHA512

      1937e3b729ad249f7e0c0ea3ad11d2af6bd6f237833d4779d8a758ae307c76b9b8c2b47910c42f3228411695ba5a4c0a78cab2c8e8693d342750f2495cf20196

    • SSDEEP

      768:OY3rUnD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk31sGS:tUxOx6baIa9RZj00ljEwzGi1dDFDcgS

    • Modifies WinLogon for persistence

    • Modifies security service

    • Windows security bypass

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Disables RegEdit via registry modification

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks