Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/09/2024, 03:18
Static task
static1
Behavioral task
behavioral1
Sample
f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe
-
Size
760KB
-
MD5
f12d0d690b86148cce1f7d01911b5359
-
SHA1
34cba5dc1de74d656c2b6e52789779689ff5d967
-
SHA256
3c90f7e66714f9cf7b2912e62a5772d0b47d0548bfa92376ebc5fa08cbc21a4e
-
SHA512
95405496452b02225c2c292f53382e762adc0ea2a9cb9c07b9cd00a34d1405f27a5c3e4f928810b6b887dff71ff0a95faa09e41292078f1609dea5a9cdae1ab5
-
SSDEEP
12288:JcrNS33L10QdrXZT+tcWn0s6tKWOj4f1cfS4yWr9ousp1oRUr5jjo/:0NA3R5drX/W9tWqWSSSvU1oi4
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
2.tcp.ngrok.io:18729
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe svhost.exe -
Executes dropped EXE 7 IoCs
pid Process 2760 Photo.exe 2996 Server.sfx.exe 1912 Server.exe 1620 svhost.exe 992 Server.exe 2264 Server.exe 292 Server.exe -
Loads dropped DLL 7 IoCs
pid Process 2948 f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe 2948 f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe 2948 f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe 2604 cmd.exe 2996 Server.sfx.exe 2996 Server.sfx.exe 2996 Server.sfx.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 2 2.tcp.ngrok.io 17 2.tcp.ngrok.io 27 2.tcp.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Photo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1140 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1912 Server.exe 1620 svhost.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe Token: 33 1620 svhost.exe Token: SeIncBasePriorityPrivilege 1620 svhost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2868 DllHost.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2948 wrote to memory of 2760 2948 f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe 31 PID 2948 wrote to memory of 2760 2948 f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe 31 PID 2948 wrote to memory of 2760 2948 f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe 31 PID 2948 wrote to memory of 2760 2948 f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe 31 PID 2760 wrote to memory of 2604 2760 Photo.exe 32 PID 2760 wrote to memory of 2604 2760 Photo.exe 32 PID 2760 wrote to memory of 2604 2760 Photo.exe 32 PID 2760 wrote to memory of 2604 2760 Photo.exe 32 PID 2604 wrote to memory of 2996 2604 cmd.exe 34 PID 2604 wrote to memory of 2996 2604 cmd.exe 34 PID 2604 wrote to memory of 2996 2604 cmd.exe 34 PID 2604 wrote to memory of 2996 2604 cmd.exe 34 PID 2996 wrote to memory of 1912 2996 Server.sfx.exe 35 PID 2996 wrote to memory of 1912 2996 Server.sfx.exe 35 PID 2996 wrote to memory of 1912 2996 Server.sfx.exe 35 PID 2996 wrote to memory of 1912 2996 Server.sfx.exe 35 PID 1912 wrote to memory of 1620 1912 Server.exe 36 PID 1912 wrote to memory of 1620 1912 Server.exe 36 PID 1912 wrote to memory of 1620 1912 Server.exe 36 PID 1620 wrote to memory of 1140 1620 svhost.exe 38 PID 1620 wrote to memory of 1140 1620 svhost.exe 38 PID 1620 wrote to memory of 1140 1620 svhost.exe 38 PID 2828 wrote to memory of 992 2828 taskeng.exe 41 PID 2828 wrote to memory of 992 2828 taskeng.exe 41 PID 2828 wrote to memory of 992 2828 taskeng.exe 41 PID 2828 wrote to memory of 2264 2828 taskeng.exe 42 PID 2828 wrote to memory of 2264 2828 taskeng.exe 42 PID 2828 wrote to memory of 2264 2828 taskeng.exe 42 PID 2828 wrote to memory of 292 2828 taskeng.exe 43 PID 2828 wrote to memory of 292 2828 taskeng.exe 43 PID 2828 wrote to memory of 292 2828 taskeng.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Photo.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Photo.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.sfx.exeServer.sfx.exe -pqazwsx1234⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Server.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Server.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"6⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe7⤵
- Scheduled Task/Job: Scheduled Task
PID:1140
-
-
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2868
-
C:\Windows\system32\taskeng.exetaskeng.exe {9565D415-C3FD-452C-98E6-4B2632AA02A6} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
PID:992
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
PID:2264
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
PID:292
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD5ce3b56f909573914bddf3f394267ca8d
SHA110d8e3fb17186a72a7c6d51ec516bb1de4c92f06
SHA256ec7e1208eeb666b260df7458d4a2a602ea9c9aede53b35e2445006e42d013796
SHA512b876e5e85cc16ccbb8ec61ffe706eb5ab8f422d33bc28c10e2a10f86f4f197a0ce62a9f87cd599d3ee441ea07667e7e03a8be739ec404504cb7669bbd89f9b0c
-
Filesize
43B
MD56866420d995e05262a2d6e02f2d9dea6
SHA1a2ccaf31a9728d7c8307c6ee9f1727f4145d7a0b
SHA2565a82c2b52897e92236163397494bad624d863292185fc1efb738450814bebea8
SHA5127cdfec8d01427b3da23e6206843d54d63bba6b8027e445bc60327e57c04e20c458109bc19f7fd5d6b08ad7b26aa8ba9c562fea62910237f08fcbce589acb31d4
-
Filesize
474KB
MD521a94b17436a53c51b8705d0c6236720
SHA18fb2efe966bbb75e73b1321a0060d859e4915217
SHA256f0ed866b66b889b68ee56274562d16d4b688608aecb05e5447ca9084a5677413
SHA51297952c63d19378d717d2a3a67863776108d3b963673e46a65a0448c872dc781d09d9afa8e812e392f0b6a8f43615d5e57784ea57bb28e185b38ad10cd9595fbe
-
Filesize
316KB
MD571b2beecb42585ff4eb1cc5b4dfc92a0
SHA12a3d0bae170df989ffa9fc7fc5589e5f659c609b
SHA2561f33425db77d57beda8f6b7aa42960ca445d51728453450320013c47188a71d8
SHA51294e2b8027796eb9f0cfda15968b4331f5b7069285f3680b0d14aab42fcd7971e80fcaaeff20ec0a92101439338192eb4e4b3b8496ff8825ca1e6182859496a28
-
Filesize
25KB
MD58480b324283fc52353afb327fe10028e
SHA1471dd43a66dbad1be2cb51502b022be6647c7f6b
SHA2562abceec17e6367a28b201c9222b813ae053ff62605e8d8a5c9a3f96f6d5b5db5
SHA5123cb6a445935948a8d4e47a57ba06b0ba1e74f3b0844f69ef80ebbbf127aaa5424ba0d26861a0ef681bfe019dbced842f947ae6d521e9050b619a343f17b1437e