Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 12:43

General

  • Target

    ed9d5228f09a3b6ab41654ae4535e13b_JaffaCakes118.exe

  • Size

    507KB

  • MD5

    ed9d5228f09a3b6ab41654ae4535e13b

  • SHA1

    39d26043d0e2cba9b3ec9fbfe0cc920a3bb45665

  • SHA256

    98b0708f87e441e6ab181053cf6808ebc7671134624feb047222a9324a9f7847

  • SHA512

    f93e7e2dc089b771079ab91667976ab14e42d07bab0468fa0b59d7d701cee85d615284e10549538ebd1cdf38c9c8555cd81d4688affd62ac4aa92cb570c53f48

  • SSDEEP

    1536:AeZN1s3o5pMCgNlWnkEU2jKIUBL4DZ8/F/n1dO:Auvp5KNlc1jKTL4Z8/Jn1

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Last

C2

recreciptor.hopto.org:2255

Mutex

63951ff13995ee572862321383fecced

Attributes
  • reg_key

    63951ff13995ee572862321383fecced

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed9d5228f09a3b6ab41654ae4535e13b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ed9d5228f09a3b6ab41654ae4535e13b_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Roaming\VIP72.exe
      "C:\Users\Admin\AppData\Roaming\VIP72.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\system32\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\VIP72.exe" "VIP72.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\VIP72.exe

    Filesize

    507KB

    MD5

    ed9d5228f09a3b6ab41654ae4535e13b

    SHA1

    39d26043d0e2cba9b3ec9fbfe0cc920a3bb45665

    SHA256

    98b0708f87e441e6ab181053cf6808ebc7671134624feb047222a9324a9f7847

    SHA512

    f93e7e2dc089b771079ab91667976ab14e42d07bab0468fa0b59d7d701cee85d615284e10549538ebd1cdf38c9c8555cd81d4688affd62ac4aa92cb570c53f48

  • memory/2168-0-0x000007FEF5E0E000-0x000007FEF5E0F000-memory.dmp

    Filesize

    4KB

  • memory/2168-1-0x0000000000450000-0x000000000045C000-memory.dmp

    Filesize

    48KB

  • memory/2168-2-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2168-3-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2168-11-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2856-12-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

    Filesize

    9.6MB

  • memory/2856-14-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

    Filesize

    9.6MB