Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 07:40 UTC

General

  • Target

    eade4b1b81bbe130f60de0aa4932be6e_JaffaCakes118.exe

  • Size

    43KB

  • MD5

    eade4b1b81bbe130f60de0aa4932be6e

  • SHA1

    70ff7e159df53043ad9204965b27539929679068

  • SHA256

    740ee7f71f72705e2098e4171df52c5c822c457b13d9854f9d10657bc9f3622b

  • SHA512

    2467ea1f6b2adc5d4ad5f3188048219876906defa358dff3e037035153df5ac32da6b4577a47174fd5cdfca8a03dec6e05dd16184b4674bb03beda77250c7a6c

  • SSDEEP

    768:u9YUIDSC40/Ex2iLdzVL/bycmfEaSSHH13nNG1:u3C4cEHpVLXyEVSBs

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

127.0.0.1:1177

Mutex

ecc7c8c51c0850c1ec247c7fd3602f20

Attributes
  • reg_key

    ecc7c8c51c0850c1ec247c7fd3602f20

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eade4b1b81bbe130f60de0aa4932be6e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eade4b1b81bbe130f60de0aa4932be6e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Local\Temp\windows.exe
      "C:\Users\Admin\AppData\Local\Temp\windows.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3948
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\windows.exe" "windows.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2620

Network

  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.143.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.143.123.92.in-addr.arpa
    IN PTR
    Response
    240.143.123.92.in-addr.arpa
    IN PTR
    a92-123-143-240deploystaticakamaitechnologiescom
  • flag-us
    DNS
    68.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.190.18.2.in-addr.arpa
    IN PTR
    Response
    73.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 127.0.0.1:1177
    windows.exe
  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    240.143.123.92.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    240.143.123.92.in-addr.arpa

  • 8.8.8.8:53
    68.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    68.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    73.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\windows.exe

    Filesize

    43KB

    MD5

    eade4b1b81bbe130f60de0aa4932be6e

    SHA1

    70ff7e159df53043ad9204965b27539929679068

    SHA256

    740ee7f71f72705e2098e4171df52c5c822c457b13d9854f9d10657bc9f3622b

    SHA512

    2467ea1f6b2adc5d4ad5f3188048219876906defa358dff3e037035153df5ac32da6b4577a47174fd5cdfca8a03dec6e05dd16184b4674bb03beda77250c7a6c

  • memory/3024-6-0x0000000005FC0000-0x0000000006564000-memory.dmp

    Filesize

    5.6MB

  • memory/3024-20-0x0000000074E90000-0x0000000075640000-memory.dmp

    Filesize

    7.7MB

  • memory/3024-3-0x0000000074E90000-0x0000000075640000-memory.dmp

    Filesize

    7.7MB

  • memory/3024-4-0x00000000057F0000-0x00000000057FE000-memory.dmp

    Filesize

    56KB

  • memory/3024-5-0x0000000005970000-0x0000000005A0C000-memory.dmp

    Filesize

    624KB

  • memory/3024-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

    Filesize

    4KB

  • memory/3024-1-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

    Filesize

    64KB

  • memory/3024-2-0x0000000003280000-0x000000000328E000-memory.dmp

    Filesize

    56KB

  • memory/3948-19-0x0000000074E90000-0x0000000075640000-memory.dmp

    Filesize

    7.7MB

  • memory/3948-21-0x0000000074E90000-0x0000000075640000-memory.dmp

    Filesize

    7.7MB

  • memory/3948-22-0x0000000005AA0000-0x0000000005B32000-memory.dmp

    Filesize

    584KB

  • memory/3948-23-0x0000000005A70000-0x0000000005A7A000-memory.dmp

    Filesize

    40KB

  • memory/3948-24-0x0000000074E90000-0x0000000075640000-memory.dmp

    Filesize

    7.7MB

  • memory/3948-25-0x0000000074E90000-0x0000000075640000-memory.dmp

    Filesize

    7.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.