Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
pisun.exe
-
Size
54KB
-
Sample
250322-lf62zsvmx2
-
MD5
45140e967970cd63521eaa76dc4db7d7
-
SHA1
aae8aa4c5fb8e1d5a830f1f095d7550a89b7634a
-
SHA256
3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8
-
SHA512
d8c5274fc1c66700c3fb63527973cb20106070698eebdf90e6b3f9ace371e34a653e382f949683d9aab0cb33fdd00ab2b943e499a4d2d6f42a24822fa2142129
-
SSDEEP
768:U8I0g652Esltuq55JR2ET3NwJSNbxWQG35bmaePD5PvXOC2XXJdxIEpmvg:U8ZVGtZ5DTCGlWQcGD0LX3xIEpmvg
Malware Config
Extracted
njrat
<- NjRAT 0.7d Horror Edition ->
Victim
such-captain.gl.at.ply.gg:7723
f9f7ecca9c9e7996304b914cc137e66d
-
reg_key
f9f7ecca9c9e7996304b914cc137e66d
-
splitter
Y262SUCZ4UJJ
Targets
-
-
Target
pisun.exe
-
Size
54KB
-
MD5
45140e967970cd63521eaa76dc4db7d7
-
SHA1
aae8aa4c5fb8e1d5a830f1f095d7550a89b7634a
-
SHA256
3990ab6d73f0a92606cb4c86d39e077f014da65413a264be94d03ca8478e64b8
-
SHA512
d8c5274fc1c66700c3fb63527973cb20106070698eebdf90e6b3f9ace371e34a653e382f949683d9aab0cb33fdd00ab2b943e499a4d2d6f42a24822fa2142129
-
SSDEEP
768:U8I0g652Esltuq55JR2ET3NwJSNbxWQG35bmaePD5PvXOC2XXJdxIEpmvg:U8ZVGtZ5DTCGlWQcGD0LX3xIEpmvg
Score10/10-
Njrat family
-
UAC bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Event Triggered Execution: Image File Execution Options Injection
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Possible privilege escalation attempt
-
Executes dropped EXE
-
Modifies file permissions
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Accessibility Features
1Image File Execution Options Injection
1Power Settings
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Accessibility Features
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1