Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01/01/2025, 08:44
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_4e97e808f0bc531c95b60562e0e289ae.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4e97e808f0bc531c95b60562e0e289ae.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4e97e808f0bc531c95b60562e0e289ae.exe
-
Size
48KB
-
MD5
4e97e808f0bc531c95b60562e0e289ae
-
SHA1
bd01e6d968c9946155029f497a63cfdb91f7b708
-
SHA256
f6c531602d523694686d6ff60ef3024115a37a5d9a668330e51eeb88820e14d9
-
SHA512
87267a81888b0fca879a076fab5e471e546b31c73603e5361126abf4abd130c602c8a1d7bdc30079329fa94ebf46f1a61314eefb607eaece802641c80e89c1e2
-
SSDEEP
768:GEck08b71uCZlqrxgqDhhYSWElLQHzwjb1LLLLLLLLeeDG:Ghd8s6KDfZtb4eDG
Malware Config
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2604 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dbd4c6a4c9a4acc93b7f4229de2928f0.exe Mirosoft.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dbd4c6a4c9a4acc93b7f4229de2928f0.exe Mirosoft.exe -
Executes dropped EXE 1 IoCs
pid Process 2564 Mirosoft.exe -
Loads dropped DLL 1 IoCs
pid Process 2708 JaffaCakes118_4e97e808f0bc531c95b60562e0e289ae.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\dbd4c6a4c9a4acc93b7f4229de2928f0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Mirosoft.exe\" .." Mirosoft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dbd4c6a4c9a4acc93b7f4229de2928f0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Mirosoft.exe\" .." Mirosoft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4e97e808f0bc531c95b60562e0e289ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mirosoft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe Token: 33 2564 Mirosoft.exe Token: SeIncBasePriorityPrivilege 2564 Mirosoft.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2564 2708 JaffaCakes118_4e97e808f0bc531c95b60562e0e289ae.exe 30 PID 2708 wrote to memory of 2564 2708 JaffaCakes118_4e97e808f0bc531c95b60562e0e289ae.exe 30 PID 2708 wrote to memory of 2564 2708 JaffaCakes118_4e97e808f0bc531c95b60562e0e289ae.exe 30 PID 2708 wrote to memory of 2564 2708 JaffaCakes118_4e97e808f0bc531c95b60562e0e289ae.exe 30 PID 2564 wrote to memory of 2604 2564 Mirosoft.exe 31 PID 2564 wrote to memory of 2604 2564 Mirosoft.exe 31 PID 2564 wrote to memory of 2604 2564 Mirosoft.exe 31 PID 2564 wrote to memory of 2604 2564 Mirosoft.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e97e808f0bc531c95b60562e0e289ae.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4e97e808f0bc531c95b60562e0e289ae.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\Mirosoft.exe"C:\Users\Admin\AppData\Local\Temp\Mirosoft.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Mirosoft.exe" "Mirosoft.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2604
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD54e97e808f0bc531c95b60562e0e289ae
SHA1bd01e6d968c9946155029f497a63cfdb91f7b708
SHA256f6c531602d523694686d6ff60ef3024115a37a5d9a668330e51eeb88820e14d9
SHA51287267a81888b0fca879a076fab5e471e546b31c73603e5361126abf4abd130c602c8a1d7bdc30079329fa94ebf46f1a61314eefb607eaece802641c80e89c1e2