Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ef88013105357db2be870d0557f41e7c_JaffaCakes118

  • Size

    14KB

  • Sample

    240921-lsmh4swckf

  • MD5

    ef88013105357db2be870d0557f41e7c

  • SHA1

    906864394a1715f283ba1a724b521b6e36827195

  • SHA256

    180c1593184328ae276173554183e068d0f8379f1aaec63c7ad705042fbc7d73

  • SHA512

    adfa4b061310545573b4da835b0c52f39b6986daf6e775cb1c0d263a21e99e04a7653f7ad2a17f0341c184e7e6df48d17d74d0aa2bda3b3b54612ec0a63b3856

  • SSDEEP

    384:QfQQHn64PSWRgaJ3qeG3Rxos7d3o+4SGazpDJPX+cAS3:2QQa4qW643qRos72VSGop1WK

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked By HiDDen PerSOn

C2

l1x.ddns.net:5552

Mutex

452d007e0e891c3400f56e8d13041c1e

Attributes
  • reg_key

    452d007e0e891c3400f56e8d13041c1e

  • splitter

    |'|'|

Targets

    • Target

      L1xware.exe

    • Size

      32KB

    • MD5

      b369b171954015e188eb2646dbd4c817

    • SHA1

      41b79bd407b8c6a6edc87c66e6692bf203ce749b

    • SHA256

      6aeada94389e3c6c001857ce2e22139e63a4ece256faf3dcde568adadfdc1bf5

    • SHA512

      0acc701ff7a30dbc665847fd06094737ae863b228459661dfbb0e42fcfc92585c09e391876787ca6fd99002e3c997390f40bcf07d2a87ff7d6bc69416ee03efc

    • SSDEEP

      384:WF5kg0KQUvUpsi+daDpyFva9dFPIQL1fJfiTK2glD4odg9TduS/EIGsJjwE7UMcY:Oo0Ldae8/FmouDuCEIGfRt+f

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks