Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/06/2024, 16:36

General

  • Target

    bd4b1ccafd3ffcca49961c010d8abed5_JaffaCakes118.vbs

  • Size

    47KB

  • MD5

    bd4b1ccafd3ffcca49961c010d8abed5

  • SHA1

    e49c6d2c4e77e782f8f6afcfa1a34fedb6b67586

  • SHA256

    d58f219e40a169eb0bd5338740f1852d690630466b77cd343772f4da12271fd9

  • SHA512

    842d9bccac08d44bca271230a655f351e15425bb64bc925d8ddc8bf418b2586258cef50c1d54c1de1930b4d435821b752134ecb6ebb9a999b8acdec238f27b4f

  • SSDEEP

    768:LWu7Rgdz+OQFQvUGB6T8PEKi6JNf79sdgVR9aPzdADDrDyhss92vxboECSB0RDYp:JAqTA9naPz2vxboECSBMzK2uae

Score
10/10

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:1177

Mutex

65a67df4f491be9b9a2a9164c0652865

Attributes
  • reg_key

    65a67df4f491be9b9a2a9164c0652865

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd4b1ccafd3ffcca49961c010d8abed5_JaffaCakes118.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Users\Admin\AppData\Local\Temp\57yhyh.ExE
      C:\Users\Admin\AppData\Local\Temp\57yhyh.ExE
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\server.vbs"
        3⤵
          PID:4772

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\57yhyh.ExE

      Filesize

      23KB

      MD5

      12133dc8e4b3a96da6867330740f1c47

      SHA1

      de1939e796fa592b1acc4393981da044791a99dc

      SHA256

      ac8cb006c48662e9d5063823cf3158725d8f3d1c39aef4e7f164c4b251444391

      SHA512

      db2037ab6bb9adad914c671f9d836be7e7b566c8a45f9e4bbe1221145be561d436effff1911e83af264ac429fc7a2fa89f37de0210f81ada73ad7d003939ab0b

    • memory/1552-4-0x0000000074DF2000-0x0000000074DF3000-memory.dmp

      Filesize

      4KB

    • memory/1552-5-0x0000000074DF0000-0x00000000753A1000-memory.dmp

      Filesize

      5.7MB

    • memory/1552-6-0x0000000074DF0000-0x00000000753A1000-memory.dmp

      Filesize

      5.7MB

    • memory/1552-11-0x0000000074DF0000-0x00000000753A1000-memory.dmp

      Filesize

      5.7MB