Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20/05/2024, 19:11
Behavioral task
behavioral1
Sample
60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe
-
Size
23KB
-
MD5
60b9f5772f52920b02507511dc5ff5cd
-
SHA1
6eda493c46a883761cc4d69516fb84ff9975a3df
-
SHA256
b019f264edfde3939e799eee24361725d6b70d8701d58c8a782e316575dcce18
-
SHA512
c17a3397c918ad7b5c2bf8d794c0885af0511378e770b9f16a0c067de86426c83a237527e425e58c76bd93dc8ee001ede8561fc2f61fdc5fa314f22fddf401dc
-
SSDEEP
384:xTWSEFDn65Egj6RGiYCINTY6xgXakh2oZDJmRvR6JZlbw8hqIusZzZGI:Nm7OM9YX0MRpcnuo
Malware Config
Extracted
njrat
0.7d
Vicitm Of Alanrkyah - Hrob
127.0.0.1:1177
5960382bc6c885bc624da9f2db2ec726
-
reg_key
5960382bc6c885bc624da9f2db2ec726
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2572 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 1992 njrat fr3on.exe -
Loads dropped DLL 1 IoCs
pid Process 1160 60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\5960382bc6c885bc624da9f2db2ec726 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\njrat fr3on.exe\" .." njrat fr3on.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5960382bc6c885bc624da9f2db2ec726 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\njrat fr3on.exe\" .." njrat fr3on.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe Token: 33 1992 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1992 njrat fr3on.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1160 wrote to memory of 1992 1160 60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe 28 PID 1160 wrote to memory of 1992 1160 60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe 28 PID 1160 wrote to memory of 1992 1160 60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe 28 PID 1160 wrote to memory of 1992 1160 60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe 28 PID 1992 wrote to memory of 2572 1992 njrat fr3on.exe 29 PID 1992 wrote to memory of 2572 1992 njrat fr3on.exe 29 PID 1992 wrote to memory of 2572 1992 njrat fr3on.exe 29 PID 1992 wrote to memory of 2572 1992 njrat fr3on.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\njrat fr3on.exe"C:\Users\Admin\AppData\Local\Temp\njrat fr3on.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\njrat fr3on.exe" "njrat fr3on.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2572
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD560b9f5772f52920b02507511dc5ff5cd
SHA16eda493c46a883761cc4d69516fb84ff9975a3df
SHA256b019f264edfde3939e799eee24361725d6b70d8701d58c8a782e316575dcce18
SHA512c17a3397c918ad7b5c2bf8d794c0885af0511378e770b9f16a0c067de86426c83a237527e425e58c76bd93dc8ee001ede8561fc2f61fdc5fa314f22fddf401dc