Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

c06aa970bd...18.exe

windows7-x64

10

c06aa970bd...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2024, 02:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe

  • Size

    118KB

  • MD5

    c06aa970bd19848b1e30d7ef29b96db9

  • SHA1

    d00136054593fd2866a708ab0747a906a9329ddc

  • SHA256

    a6f6e5c3c97c144017680125611d208180a11cbede998b814eccc003d19958c9

  • SHA512

    e89b997a3c3c2209b27413a4d91e8e85832bfb8b0a5732194d92f6e7f0d3b17c2b3835bc00d54d2851ecaaee7c6dceb09c6263bdeba9f8865f775ab341afe655

  • SSDEEP

    1536:u7f65g9OX2CLGAApICdOk/dYLAZXdlItBGTjeIOlnToIfqwqHTTarAW9ctzqmg1I:knlVICUkLrGGTINTBfqHHYcFqmaI

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:666

Mutex

d95e2235c32e093b2431125ea5df9722

Attributes
  • reg_key

    d95e2235c32e093b2431125ea5df9722

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\system32\cscript.exe
      "C:\Windows\sysnative\cscript" C:\Users\Admin\AppData\Local\Temp\5985.tmp\5986.tmp\5987.vbs //Nologo
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Users\Admin\AppData\Roaming\ServerName.exe
        "C:\Users\Admin\AppData\Roaming\ServerName.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ServerName.exe" "ServerName.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:3040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5985.tmp\5986.tmp\5987.vbs
    Filesize

    64KB

    MD5

    b2cca365214a78a41e520385fe38ca6d

    SHA1

    cc35acfe65dd34e10981a8a1b826d075ab73e558

    SHA256

    5e3416c1f4df20a75410f322edacb3247fe2e270a6abd13765f243f9f82cdb5a

    SHA512

    3c35f92f43e5a2cce29be8dd6d42a84a7436390224114c572c71dc4258b2beb35a1aea6ff4c9c82a60dc0ab3554da88fd880b5931204f450da30e6ac4ae3e384

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ServerName.exe
    Filesize

    23KB

    MD5

    41131e8adc7272f892a2c93ef32a1c60

    SHA1

    fe49f5293e0ec55720e9f1bb48666e513d16b81d

    SHA256

    81fa732787973ee56d454a5b438b6495a1c855c47f6e86c4d44b1f35f163546b

    SHA512

    006c21afcefaea738ab46939edbfb5c18fbf16e62afa2f2ff9d667a184a8f1eceeb65ae4c222245452fd1e016ce5849f4e1f5d2734f6684e9e9e8de59adc76ae

    Download Submit

  • memory/2764-8-0x0000000074551000-0x0000000074552000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2764-9-0x0000000074550000-0x0000000074AFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2764-10-0x0000000074550000-0x0000000074AFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2764-11-0x0000000074550000-0x0000000074AFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2764-12-0x0000000074550000-0x0000000074AFB000-memory.dmp

    Filesize

    5.7MB

    Download