Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 08:17 UTC

General

  • Target

    dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe

  • Size

    93KB

  • MD5

    dc1d0319a87205834977c9193840bdbf

  • SHA1

    70784a051b32b34a71e73762bdd03f77186143d4

  • SHA256

    01fdfc314bfab5c7d0cf774aba4dfabc0b503b7e7d91eb1016d8b5a7fcbc83f6

  • SHA512

    efd137d0eeb1dd5c1709ab220b9f446ec76897ffdda12d884e708275751e2c5c67f7f9041bb54778307a8d0c025e8456c0bbaf3b08474e7ad27c39eb3a809dca

  • SSDEEP

    768:3Da0mkspJtyZA/vMHTi9bD5NjHmLRpbZG3bV/aPfQpFx:za0mkSbnYi9bFlUfQpf

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

4.tcp.ngrok.io:15315

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Users\Admin\AppData\Roaming\Payload.exe
      "C:\Users\Admin\AppData\Roaming\Payload.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3064
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Views/modifies file attributes
      PID:936

Network

  • flag-us
    DNS
    4.tcp.ngrok.io
    Payload.exe
    Remote address:
    8.8.8.8:53
    Request
    4.tcp.ngrok.io
    IN A
    Response
    4.tcp.ngrok.io
    IN A
    3.131.147.49
  • flag-us
    DNS
    4.tcp.ngrok.io
    Payload.exe
    Remote address:
    8.8.8.8:53
    Request
    4.tcp.ngrok.io
    IN A
    Response
    4.tcp.ngrok.io
    IN A
    3.22.15.135
  • flag-us
    DNS
    4.tcp.ngrok.io
    Payload.exe
    Remote address:
    8.8.8.8:53
    Request
    4.tcp.ngrok.io
    IN A
    Response
    4.tcp.ngrok.io
    IN A
    3.129.187.220
  • flag-us
    DNS
    4.tcp.ngrok.io
    Payload.exe
    Remote address:
    8.8.8.8:53
    Request
    4.tcp.ngrok.io
    IN A
    Response
    4.tcp.ngrok.io
    IN A
    3.133.207.110
  • 3.131.147.49:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.131.147.49:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.131.147.49:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.131.147.49:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.22.15.135:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.22.15.135:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.22.15.135:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.22.15.135:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.22.15.135:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.22.15.135:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.22.15.135:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.22.15.135:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.22.15.135:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.22.15.135:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.22.15.135:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.22.15.135:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.129.187.220:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.133.207.110:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.133.207.110:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.133.207.110:15315
    4.tcp.ngrok.io
    Payload.exe
    152 B
    120 B
    3
    3
  • 3.133.207.110:15315
    4.tcp.ngrok.io
    Payload.exe
    104 B
    80 B
    2
    2
  • 8.8.8.8:53
    4.tcp.ngrok.io
    dns
    Payload.exe
    60 B
    76 B
    1
    1

    DNS Request

    4.tcp.ngrok.io

    DNS Response

    3.131.147.49

  • 8.8.8.8:53
    4.tcp.ngrok.io
    dns
    Payload.exe
    60 B
    76 B
    1
    1

    DNS Request

    4.tcp.ngrok.io

    DNS Response

    3.22.15.135

  • 8.8.8.8:53
    4.tcp.ngrok.io
    dns
    Payload.exe
    60 B
    76 B
    1
    1

    DNS Request

    4.tcp.ngrok.io

    DNS Response

    3.129.187.220

  • 8.8.8.8:53
    4.tcp.ngrok.io
    dns
    Payload.exe
    60 B
    76 B
    1
    1

    DNS Request

    4.tcp.ngrok.io

    DNS Response

    3.133.207.110

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

    Filesize

    1KB

    MD5

    ab8bda25bb33bc4e1b0fb838182310ee

    SHA1

    3d5019c29dc25b75a0895c1cfbddbc1b82f65564

    SHA256

    61876eace51bdcb316ccd5ab578199d0047e5613aa1e6b74de14510dfdf32899

    SHA512

    1372d6246158b69ca5f13628e92cc01e5f2789a7c3d27a9b60dd7e05140be90c55aba20a6ad1f623d457d3971b0a5c8a99e521da974653384d257462ab8ba133

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

    Filesize

    1018B

    MD5

    a1f1aa45f3be732c8413aa8e836c795f

    SHA1

    0a92925bc77cce64632163970bbbba77447b7ac0

    SHA256

    049096a7457a01d3b22e8b9fea5e3e882b1e8b006445c8779785110bdd9f175e

    SHA512

    31cf6319c3f481081266b0b1893acee702baccaa7d9618b19984505fd757cf08bdad59a2d7d103851b4aec570da193c768ef6d8a416af7cb2b44a9e7b154ea15

  • \Users\Admin\AppData\Roaming\Payload.exe

    Filesize

    93KB

    MD5

    dc1d0319a87205834977c9193840bdbf

    SHA1

    70784a051b32b34a71e73762bdd03f77186143d4

    SHA256

    01fdfc314bfab5c7d0cf774aba4dfabc0b503b7e7d91eb1016d8b5a7fcbc83f6

    SHA512

    efd137d0eeb1dd5c1709ab220b9f446ec76897ffdda12d884e708275751e2c5c67f7f9041bb54778307a8d0c025e8456c0bbaf3b08474e7ad27c39eb3a809dca

  • memory/1756-0-0x0000000074851000-0x0000000074852000-memory.dmp

    Filesize

    4KB

  • memory/1756-1-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB

  • memory/1756-2-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB

  • memory/1756-5-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB

  • memory/1756-15-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB

  • memory/3064-13-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB

  • memory/3064-14-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB

  • memory/3064-20-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.