Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2024, 19:11
Behavioral task
behavioral1
Sample
60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe
-
Size
23KB
-
MD5
60b9f5772f52920b02507511dc5ff5cd
-
SHA1
6eda493c46a883761cc4d69516fb84ff9975a3df
-
SHA256
b019f264edfde3939e799eee24361725d6b70d8701d58c8a782e316575dcce18
-
SHA512
c17a3397c918ad7b5c2bf8d794c0885af0511378e770b9f16a0c067de86426c83a237527e425e58c76bd93dc8ee001ede8561fc2f61fdc5fa314f22fddf401dc
-
SSDEEP
384:xTWSEFDn65Egj6RGiYCINTY6xgXakh2oZDJmRvR6JZlbw8hqIusZzZGI:Nm7OM9YX0MRpcnuo
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4996 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1752 njrat fr3on.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5960382bc6c885bc624da9f2db2ec726 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\njrat fr3on.exe\" .." njrat fr3on.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5960382bc6c885bc624da9f2db2ec726 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\njrat fr3on.exe\" .." njrat fr3on.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 1752 njrat fr3on.exe Token: 33 1752 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1752 njrat fr3on.exe Token: 33 1752 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1752 njrat fr3on.exe Token: 33 1752 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1752 njrat fr3on.exe Token: 33 1752 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1752 njrat fr3on.exe Token: 33 1752 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1752 njrat fr3on.exe Token: 33 1752 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1752 njrat fr3on.exe Token: 33 1752 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1752 njrat fr3on.exe Token: 33 1752 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1752 njrat fr3on.exe Token: 33 1752 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1752 njrat fr3on.exe Token: 33 1752 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1752 njrat fr3on.exe Token: 33 1752 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1752 njrat fr3on.exe Token: 33 1752 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1752 njrat fr3on.exe Token: 33 1752 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1752 njrat fr3on.exe Token: 33 1752 njrat fr3on.exe Token: SeIncBasePriorityPrivilege 1752 njrat fr3on.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2432 wrote to memory of 1752 2432 60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe 98 PID 2432 wrote to memory of 1752 2432 60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe 98 PID 2432 wrote to memory of 1752 2432 60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe 98 PID 1752 wrote to memory of 4996 1752 njrat fr3on.exe 100 PID 1752 wrote to memory of 4996 1752 njrat fr3on.exe 100 PID 1752 wrote to memory of 4996 1752 njrat fr3on.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\njrat fr3on.exe"C:\Users\Admin\AppData\Local\Temp\njrat fr3on.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\njrat fr3on.exe" "njrat fr3on.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4996
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:532
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD560b9f5772f52920b02507511dc5ff5cd
SHA16eda493c46a883761cc4d69516fb84ff9975a3df
SHA256b019f264edfde3939e799eee24361725d6b70d8701d58c8a782e316575dcce18
SHA512c17a3397c918ad7b5c2bf8d794c0885af0511378e770b9f16a0c067de86426c83a237527e425e58c76bd93dc8ee001ede8561fc2f61fdc5fa314f22fddf401dc