Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/12/2024, 23:46
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_da09dcb834819e8acd123a7fb06e38c8dd584522753003cfa9d501df0a2b3a83.tar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_da09dcb834819e8acd123a7fb06e38c8dd584522753003cfa9d501df0a2b3a83.tar
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
456-Invoice.js
Resource
win7-20240903-en
General
-
Target
456-Invoice.js
-
Size
166KB
-
MD5
c000b245272ad81b74958689e4b3352e
-
SHA1
ce74042c88b852c6a5b00186096f0ce42afc38b6
-
SHA256
f19462db16c63e8c26095f8ee024340649e0b2cb26a9ba9d08691b6d01e4f2be
-
SHA512
f9b3f811a4be2bee356d9265d15a20a00d41b4a5933d8ab5adcf683ce23cab0ac0b6a7cbdbc97abb509385082aa038d11f1b4f8e502f61e6a42535bbd4df155c
-
SSDEEP
3072:Z6EsOoG2OGyjn37WIMnhHXmhRZkIQQZ9ophBCvD9hsbVhjv5:PsOotKeIMnimk+EIb5
Malware Config
Extracted
njrat
0.7.3
SUCCEED
194.5.97.156:7654
Client.exe
-
reg_key
Client.exe
-
splitter
0149266241@@@
Signatures
-
Njrat family
-
Vjw0rm family
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YgrKtkfSUZ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YgrKtkfSUZ.js wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 2668 New Client.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\YgrKtkfSUZ.js\"" wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2760 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe Token: 33 2668 New Client.exe Token: SeIncBasePriorityPrivilege 2668 New Client.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1048 wrote to memory of 1676 1048 wscript.exe 28 PID 1048 wrote to memory of 1676 1048 wscript.exe 28 PID 1048 wrote to memory of 1676 1048 wscript.exe 28 PID 1048 wrote to memory of 2668 1048 wscript.exe 29 PID 1048 wrote to memory of 2668 1048 wscript.exe 29 PID 1048 wrote to memory of 2668 1048 wscript.exe 29 PID 1048 wrote to memory of 2668 1048 wscript.exe 29 PID 2668 wrote to memory of 2772 2668 New Client.exe 31 PID 2668 wrote to memory of 2772 2668 New Client.exe 31 PID 2668 wrote to memory of 2772 2668 New Client.exe 31 PID 2668 wrote to memory of 2772 2668 New Client.exe 31 PID 2668 wrote to memory of 2760 2668 New Client.exe 33 PID 2668 wrote to memory of 2760 2668 New Client.exe 33 PID 2668 wrote to memory of 2760 2668 New Client.exe 33 PID 2668 wrote to memory of 2760 2668 New Client.exe 33
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\456-Invoice.js1⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YgrKtkfSUZ.js"2⤵
- Drops startup file
- Adds Run key to start application
PID:1676
-
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵
- System Location Discovery: System Language Discovery
PID:2772
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 13⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2760
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {85AFC9E2-2A74-4809-A729-B0C32218CB3A} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵PID:2016
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1JavaScript
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD54c1c9fdf28215ae2f0f681349b66bbff
SHA18ab23d0ee7a361c8f29622fa9ba05f6644e24e9a
SHA25650842fb63d2308152a3d6c25bf5c45b2a71906193e299975401e8cc5189abd7a
SHA512f0415187e7f7dc15546ea4bc8e6c53281aa407df064a2d73e0360e796caf807430d7ab565ba842e8d1c58c1bc35eefffcd868042c65357906a625b92064e96c5
-
Filesize
10KB
MD54e1188211bc0a1f728e5a97cf47a7105
SHA1740914054d0824fbacf494855eb9121355a49740
SHA256ada3ac15b6fd893f1f8b1a4ad1f6d4cbc86c566c0d5a639c4dda15f4727f2cee
SHA512b37d9c26c44b45e89a4732439480bf6d09e292fb85ef054a4a591cb7228eeef0f8595aeaf12824771c033297ea218996d6e4c9006972c15a58d02b89365b2a14