Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19/06/2024, 16:36
Static task
static1
Behavioral task
behavioral1
Sample
bd4b1ccafd3ffcca49961c010d8abed5_JaffaCakes118.vbs
Resource
win7-20231129-en
General
-
Target
bd4b1ccafd3ffcca49961c010d8abed5_JaffaCakes118.vbs
-
Size
47KB
-
MD5
bd4b1ccafd3ffcca49961c010d8abed5
-
SHA1
e49c6d2c4e77e782f8f6afcfa1a34fedb6b67586
-
SHA256
d58f219e40a169eb0bd5338740f1852d690630466b77cd343772f4da12271fd9
-
SHA512
842d9bccac08d44bca271230a655f351e15425bb64bc925d8ddc8bf418b2586258cef50c1d54c1de1930b4d435821b752134ecb6ebb9a999b8acdec238f27b4f
-
SSDEEP
768:LWu7Rgdz+OQFQvUGB6T8PEKi6JNf79sdgVR9aPzdADDrDyhss92vxboECSB0RDYp:JAqTA9naPz2vxboECSBMzK2uae
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:1177
65a67df4f491be9b9a2a9164c0652865
-
reg_key
65a67df4f491be9b9a2a9164c0652865
-
splitter
|'|'|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 57yhyh.ExE -
Executes dropped EXE 1 IoCs
pid Process 1552 57yhyh.ExE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings 57yhyh.ExE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4268 wrote to memory of 1552 4268 WScript.exe 82 PID 4268 wrote to memory of 1552 4268 WScript.exe 82 PID 4268 wrote to memory of 1552 4268 WScript.exe 82 PID 1552 wrote to memory of 4772 1552 57yhyh.ExE 91 PID 1552 wrote to memory of 4772 1552 57yhyh.ExE 91 PID 1552 wrote to memory of 4772 1552 57yhyh.ExE 91
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd4b1ccafd3ffcca49961c010d8abed5_JaffaCakes118.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\57yhyh.ExEC:\Users\Admin\AppData\Local\Temp\57yhyh.ExE2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\server.vbs"3⤵PID:4772
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD512133dc8e4b3a96da6867330740f1c47
SHA1de1939e796fa592b1acc4393981da044791a99dc
SHA256ac8cb006c48662e9d5063823cf3158725d8f3d1c39aef4e7f164c4b251444391
SHA512db2037ab6bb9adad914c671f9d836be7e7b566c8a45f9e4bbe1221145be561d436effff1911e83af264ac429fc7a2fa89f37de0210f81ada73ad7d003939ab0b