Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2024, 17:39
Behavioral task
behavioral1
Sample
fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe
-
Size
682KB
-
MD5
fd45799c56f0dcd32270e4bf4ea157fa
-
SHA1
49ffb5d87b42245656c4e5635d98b2a5a9e4382e
-
SHA256
33a012eb212119442faeb1886886a1089750d3e656bbf85f353a4521e7e85413
-
SHA512
3fad588b545de3bbe43cee0168dae8b420cccec72a99868f06be1560c111f19b871abb34f56bde48d683c8500664ff265ea9c1157afef7db36dfeb69fa3e94e8
-
SSDEEP
12288:NXWniocbQsVHkmabnl7ssqKp0gM+G4whvSJ7oySY+6ra9q0AlL6kSH1NDFIV:NXkiocksCmabnl7ssqWhU4ue8yJoqckL
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tazebama.dl_ -
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/2384-10-0x0000000000400000-0x000000000048C000-memory.dmp modiloader_stage2 behavioral2/memory/2384-64-0x0000000000400000-0x000000000048C000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 1896 tazebama.dl_ 936 ÈÇÊÔ ÕæÊ.exe 716 superscan v3.0.exe 1712 ÈÇÊÔ ÕæÊ.exe 1868 ÈÇÊÔ ÕæÊ.exe -
Loads dropped DLL 1 IoCs
pid Process 2384 fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe -
resource yara_rule behavioral2/files/0x000a00000002325f-56.dat upx behavioral2/memory/716-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1712-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1712-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1712-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/716-94-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: tazebama.dl_ File opened (read-only) \??\J: tazebama.dl_ File opened (read-only) \??\I: tazebama.dl_ File opened (read-only) \??\E: tazebama.dl_ File opened (read-only) \??\X: tazebama.dl_ File opened (read-only) \??\U: tazebama.dl_ File opened (read-only) \??\R: tazebama.dl_ File opened (read-only) \??\Q: tazebama.dl_ File opened (read-only) \??\P: tazebama.dl_ File opened (read-only) \??\L: tazebama.dl_ File opened (read-only) \??\H: tazebama.dl_ File opened (read-only) \??\G: tazebama.dl_ File opened (read-only) \??\V: tazebama.dl_ File opened (read-only) \??\T: tazebama.dl_ File opened (read-only) \??\W: tazebama.dl_ File opened (read-only) \??\S: tazebama.dl_ File opened (read-only) \??\M: tazebama.dl_ File opened (read-only) \??\K: tazebama.dl_ File opened (read-only) \??\Z: tazebama.dl_ File opened (read-only) \??\Y: tazebama.dl_ File opened (read-only) \??\N: tazebama.dl_ -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf tazebama.dl_ File opened for modification C:\autorun.inf tazebama.dl_ File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf tazebama.dl_ -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 936 set thread context of 1712 936 ÈÇÊÔ ÕæÊ.exe 98 PID 1712 set thread context of 1868 1712 ÈÇÊÔ ÕæÊ.exe 99 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE tazebama.dl_ -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4364 1896 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1896 tazebama.dl_ 1896 tazebama.dl_ 1868 ÈÇÊÔ ÕæÊ.exe 1868 ÈÇÊÔ ÕæÊ.exe 1868 ÈÇÊÔ ÕæÊ.exe 1868 ÈÇÊÔ ÕæÊ.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 936 ÈÇÊÔ ÕæÊ.exe 1712 ÈÇÊÔ ÕæÊ.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2384 wrote to memory of 1896 2384 fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe 92 PID 2384 wrote to memory of 1896 2384 fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe 92 PID 2384 wrote to memory of 1896 2384 fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe 92 PID 2384 wrote to memory of 936 2384 fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe 96 PID 2384 wrote to memory of 936 2384 fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe 96 PID 2384 wrote to memory of 936 2384 fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe 96 PID 2384 wrote to memory of 716 2384 fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe 97 PID 2384 wrote to memory of 716 2384 fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe 97 PID 2384 wrote to memory of 716 2384 fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe 97 PID 936 wrote to memory of 1712 936 ÈÇÊÔ ÕæÊ.exe 98 PID 936 wrote to memory of 1712 936 ÈÇÊÔ ÕæÊ.exe 98 PID 936 wrote to memory of 1712 936 ÈÇÊÔ ÕæÊ.exe 98 PID 936 wrote to memory of 1712 936 ÈÇÊÔ ÕæÊ.exe 98 PID 936 wrote to memory of 1712 936 ÈÇÊÔ ÕæÊ.exe 98 PID 936 wrote to memory of 1712 936 ÈÇÊÔ ÕæÊ.exe 98 PID 936 wrote to memory of 1712 936 ÈÇÊÔ ÕæÊ.exe 98 PID 936 wrote to memory of 1712 936 ÈÇÊÔ ÕæÊ.exe 98 PID 1712 wrote to memory of 1868 1712 ÈÇÊÔ ÕæÊ.exe 99 PID 1712 wrote to memory of 1868 1712 ÈÇÊÔ ÕæÊ.exe 99 PID 1712 wrote to memory of 1868 1712 ÈÇÊÔ ÕæÊ.exe 99 PID 1712 wrote to memory of 1868 1712 ÈÇÊÔ ÕæÊ.exe 99 PID 1712 wrote to memory of 1868 1712 ÈÇÊÔ ÕæÊ.exe 99 PID 1712 wrote to memory of 1868 1712 ÈÇÊÔ ÕæÊ.exe 99 PID 1712 wrote to memory of 1868 1712 ÈÇÊÔ ÕæÊ.exe 99 PID 1868 wrote to memory of 3164 1868 ÈÇÊÔ ÕæÊ.exe 56 PID 1868 wrote to memory of 3164 1868 ÈÇÊÔ ÕæÊ.exe 56 PID 1868 wrote to memory of 3164 1868 ÈÇÊÔ ÕæÊ.exe 56 PID 1868 wrote to memory of 3164 1868 ÈÇÊÔ ÕæÊ.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd45799c56f0dcd32270e4bf4ea157fa_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Documents and Settings\tazebama.dl_"C:\Documents and Settings\tazebama.dl_"3⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 7604⤵
- Program crash
PID:4364
-
-
-
C:\Users\Admin\AppData\Local\Temp\ÈÇÊÔ ÕæÊ.exe"C:\Users\Admin\AppData\Local\Temp\ÈÇÊÔ ÕæÊ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Users\Admin\AppData\Local\Temp\ÈÇÊÔ ÕæÊ.exe"C:\Users\Admin\AppData\Local\Temp\ÈÇÊÔ ÕæÊ.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\ÈÇÊÔ ÕæÊ.exe"C:\Users\Admin\AppData\Local\Temp\ÈÇÊÔ ÕæÊ.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\superscan v3.0.exe"C:\Users\Admin\AppData\Local\Temp\superscan v3.0.exe"3⤵
- Executes dropped EXE
PID:716
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1896 -ip 18961⤵PID:556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5248 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵PID:4804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD50071813eb4668769a15fcd2d1ca1686d
SHA1a9a02a14ea4e78af30b8b4a7e1c6ed500a36bc4d
SHA256a4df0e59a28d75e143117051a04d52f4a61a9ea7b23c41ad51a3a829cad62b58
SHA512285f760efac8ccfaba213e88998d37a5e3191071bb245f63d7952b65ec9a1e7ec214270beca65d9a3013db849f64977be7f6110425fd29fcc58eb78cac982e8a
-
Filesize
273KB
MD50df539fe12e647170112b53522e9bc8a
SHA15acbe197c0ae8b5d435b944a3e7107ac64a28976
SHA25620847b0f9546766aeb521e7e1168a29b1249411556898ffdf34d559aab60d469
SHA512a661495768449b1931c319a772f6220fc1d4ed2f100eec5f0fdd839c7f0786c02276539fd6bc1b1dc1b1e478aa446070cecf50a97ab12fa6a9bac86696d46810
-
Filesize
151KB
MD5d0571692ad4ef78bf228fa04d0e42c4f
SHA1e0a77445c64afd3b444cbd0dc03f3ba01f93a8a6
SHA256e645073811578d5d7e4ed393be78595da8fe2b7a8cb213ecbdaedce8d37a09c1
SHA51268a293d219e705918d881b1d1415e6c60820998c4c99bb48990a4d70e3b78d5d8e4c4038c0388c2a1dd882cea626507d4da1c2ac8d81fc81803b6e6944770fc1
-
Filesize
32KB
MD5b6a03576e595afacb37ada2f1d5a0529
SHA1d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8
SHA2561707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad
SHA512181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c
-
Filesize
126B
MD5163e20cbccefcdd42f46e43a94173c46
SHA14c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA2567780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8
-
Filesize
71KB
MD57446844a4a16e81c2a50c033f9a29c28
SHA19ff1fa63155cfd8d235b39fa56a858bb4c583b82
SHA256375dd1e4b3829eb6dd6b9a5e734b961c530c8a746dfc5bbe8bdde5560dc435c1
SHA512bd4d17604ef7027c43c5b9778426746616c9b6bbd9a8f7dea676c425ebb908c54b2ff3b75a9b6078deb118a6bb7f66e5c2dc705f39b12fe098bfa68e65fcc854