Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 12:43
Static task
static1
Behavioral task
behavioral1
Sample
ed9d5228f09a3b6ab41654ae4535e13b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ed9d5228f09a3b6ab41654ae4535e13b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ed9d5228f09a3b6ab41654ae4535e13b_JaffaCakes118.exe
-
Size
507KB
-
MD5
ed9d5228f09a3b6ab41654ae4535e13b
-
SHA1
39d26043d0e2cba9b3ec9fbfe0cc920a3bb45665
-
SHA256
98b0708f87e441e6ab181053cf6808ebc7671134624feb047222a9324a9f7847
-
SHA512
f93e7e2dc089b771079ab91667976ab14e42d07bab0468fa0b59d7d701cee85d615284e10549538ebd1cdf38c9c8555cd81d4688affd62ac4aa92cb570c53f48
-
SSDEEP
1536:AeZN1s3o5pMCgNlWnkEU2jKIUBL4DZ8/F/n1dO:Auvp5KNlc1jKTL4Z8/Jn1
Malware Config
Extracted
njrat
0.7d
Last
recreciptor.hopto.org:2255
63951ff13995ee572862321383fecced
-
reg_key
63951ff13995ee572862321383fecced
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2220 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63951ff13995ee572862321383fecced.exe VIP72.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63951ff13995ee572862321383fecced.exe VIP72.exe -
Executes dropped EXE 1 IoCs
pid Process 2856 VIP72.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\63951ff13995ee572862321383fecced = "\"C:\\Users\\Admin\\AppData\\Roaming\\VIP72.exe\" .." VIP72.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\63951ff13995ee572862321383fecced = "\"C:\\Users\\Admin\\AppData\\Roaming\\VIP72.exe\" .." VIP72.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe Token: 33 2856 VIP72.exe Token: SeIncBasePriorityPrivilege 2856 VIP72.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2856 2168 ed9d5228f09a3b6ab41654ae4535e13b_JaffaCakes118.exe 30 PID 2168 wrote to memory of 2856 2168 ed9d5228f09a3b6ab41654ae4535e13b_JaffaCakes118.exe 30 PID 2168 wrote to memory of 2856 2168 ed9d5228f09a3b6ab41654ae4535e13b_JaffaCakes118.exe 30 PID 2856 wrote to memory of 2220 2856 VIP72.exe 31 PID 2856 wrote to memory of 2220 2856 VIP72.exe 31 PID 2856 wrote to memory of 2220 2856 VIP72.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed9d5228f09a3b6ab41654ae4535e13b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed9d5228f09a3b6ab41654ae4535e13b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Roaming\VIP72.exe"C:\Users\Admin\AppData\Roaming\VIP72.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\VIP72.exe" "VIP72.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2220
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
507KB
MD5ed9d5228f09a3b6ab41654ae4535e13b
SHA139d26043d0e2cba9b3ec9fbfe0cc920a3bb45665
SHA25698b0708f87e441e6ab181053cf6808ebc7671134624feb047222a9324a9f7847
SHA512f93e7e2dc089b771079ab91667976ab14e42d07bab0468fa0b59d7d701cee85d615284e10549538ebd1cdf38c9c8555cd81d4688affd62ac4aa92cb570c53f48