Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/12/2024, 02:36
Static task
static1
Behavioral task
behavioral1
Sample
c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe
-
Size
118KB
-
MD5
c06aa970bd19848b1e30d7ef29b96db9
-
SHA1
d00136054593fd2866a708ab0747a906a9329ddc
-
SHA256
a6f6e5c3c97c144017680125611d208180a11cbede998b814eccc003d19958c9
-
SHA512
e89b997a3c3c2209b27413a4d91e8e85832bfb8b0a5732194d92f6e7f0d3b17c2b3835bc00d54d2851ecaaee7c6dceb09c6263bdeba9f8865f775ab341afe655
-
SSDEEP
1536:u7f65g9OX2CLGAApICdOk/dYLAZXdlItBGTjeIOlnToIfqwqHTTarAW9ctzqmg1I:knlVICUkLrGGTINTBfqHHYcFqmaI
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:666
d95e2235c32e093b2431125ea5df9722
-
reg_key
d95e2235c32e093b2431125ea5df9722
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3040 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2764 ServerName.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ServerName.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe Token: 33 2764 ServerName.exe Token: SeIncBasePriorityPrivilege 2764 ServerName.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2776 2668 c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe 31 PID 2668 wrote to memory of 2776 2668 c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe 31 PID 2668 wrote to memory of 2776 2668 c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe 31 PID 2668 wrote to memory of 2776 2668 c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe 31 PID 2776 wrote to memory of 2764 2776 cscript.exe 32 PID 2776 wrote to memory of 2764 2776 cscript.exe 32 PID 2776 wrote to memory of 2764 2776 cscript.exe 32 PID 2776 wrote to memory of 2764 2776 cscript.exe 32 PID 2764 wrote to memory of 3040 2764 ServerName.exe 33 PID 2764 wrote to memory of 3040 2764 ServerName.exe 33 PID 2764 wrote to memory of 3040 2764 ServerName.exe 33 PID 2764 wrote to memory of 3040 2764 ServerName.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\cscript.exe"C:\Windows\sysnative\cscript" C:\Users\Admin\AppData\Local\Temp\5985.tmp\5986.tmp\5987.vbs //Nologo2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Roaming\ServerName.exe"C:\Users\Admin\AppData\Roaming\ServerName.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ServerName.exe" "ServerName.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3040
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5b2cca365214a78a41e520385fe38ca6d
SHA1cc35acfe65dd34e10981a8a1b826d075ab73e558
SHA2565e3416c1f4df20a75410f322edacb3247fe2e270a6abd13765f243f9f82cdb5a
SHA5123c35f92f43e5a2cce29be8dd6d42a84a7436390224114c572c71dc4258b2beb35a1aea6ff4c9c82a60dc0ab3554da88fd880b5931204f450da30e6ac4ae3e384
-
Filesize
23KB
MD541131e8adc7272f892a2c93ef32a1c60
SHA1fe49f5293e0ec55720e9f1bb48666e513d16b81d
SHA25681fa732787973ee56d454a5b438b6495a1c855c47f6e86c4d44b1f35f163546b
SHA512006c21afcefaea738ab46939edbfb5c18fbf16e62afa2f2ff9d667a184a8f1eceeb65ae4c222245452fd1e016ce5849f4e1f5d2734f6684e9e9e8de59adc76ae