Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

9c8c94cb2f...18.exe

windows7-x64

10

9c8c94cb2f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    11/06/2024, 01:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c8c94cb2f4467665c307b6da59022e6_JaffaCakes118.exe

  • Size

    271KB

  • MD5

    9c8c94cb2f4467665c307b6da59022e6

  • SHA1

    9875930cfd41636e94fedd9641c360551bb8274c

  • SHA256

    9db87af0939edd62fec396d9af38b1e554d81d969974f7977014fb80f5489f03

  • SHA512

    ae082411a8cf767722c615d370c98ad3962d8a8ab64c26c5dff39563e5a9aeadfc9174f67298281a405493f2b8a7f6c1f0afad45058e22b33fe06aa205c82be4

  • SSDEEP

    3072:l6CCZ+GH7dCCYP4dmFrSvLWG88MOE+cjqr3au5llnt6pCO4d+Lk24SBXpjihtlyJ:JVmLW/8MCp5llt6wFd5oPji7r5yTh34E

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 59 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c8c94cb2f4467665c307b6da59022e6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9c8c94cb2f4467665c307b6da59022e6_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Users\Admin\AppData\Local\Temp\9c8c94cb2f4467665c307b6da59022e6_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\9c8c94cb2f4467665c307b6da59022e6_JaffaCakes118.exe"
      2⤵
        PID:1868
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:WR1jI="FeD";yk87=new%20ActiveXObject("WScript.Shell");Y4i5HMsef="8crhm6";AtG7d=yk87.RegRead("HKLM\\software\\Wow6432Node\\gM7d47Y\\aXHU5MrtV");stH5w="iqsrY0za";eval(AtG7d);diQr7p="js";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:yszr
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Drops startup file
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2904
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:1532

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\ed3e8\5cad4.cc93a6
        Filesize

        9KB

        MD5

        a3237c7d4d3529b255065045a866407f

        SHA1

        947a7f485e1f7b6f8f95f6553838398218a85034

        SHA256

        8695dbc729ef64c145b7cef10e7416b5d169284655d10550b083b98494383114

        SHA512

        cc180af93e4fd6dc043c01eb32e9b6046c99c6ef9410318688fbd4784daaf53eb6fb096d0469e44c6190372154d0d6d60b7807f26cb1d5f46e6fd12b2b7ef11e

        Download Submit

      • C:\Users\Admin\AppData\Local\ed3e8\bc0ec.bat
        Filesize

        58B

        MD5

        c9726b1023d08f87d7c310ef440fc21a

        SHA1

        e121739a7d5fd0bd5e0a08827105a41798195629

        SHA256

        009c0ef73332c5aae4e96ba2013e33cda30f312c604c5b1e768c190a522160fc

        SHA512

        571d0720f495a92114cdce0abbf951bd3ac6f66394adc88964c3870feb2552640290d65bf739c9e844e4f0c33ddbda9e39f6e66cfaad8a4b35a210df05efe1b0

        Download Submit

      • C:\Users\Admin\AppData\Local\ed3e8\d468b.lnk
        Filesize

        865B

        MD5

        fa90eafb8c7f1c15d1231407966f1ce4

        SHA1

        da7db912ae88d31b444c39785c9e88d5e3af62a6

        SHA256

        62815180bd6abb5a39cafe84cd992dd10cd6c1900fc40ad8a2f8af5d1ff1c108

        SHA512

        f665e6901c5547ea579a632f2bc09c7b55b3affd4c70cf58f32142b108a14ab5057d28cc37ecedb8399cbd6f85a4b7e8df9ef3550fdb820c6ddde82d69f8fe2c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\158f4\93aca.cc93a6
        Filesize

        21KB

        MD5

        80ebe27d6e6ad3594db0833b87ded29e

        SHA1

        462b1fcc7cd5766527512029b237692670076139

        SHA256

        f14a6b537a284193ebf7182a9a15559036fa63ba6d113a24fe5d6315edf79a89

        SHA512

        c166ff2a45d72a2b9011bc70ba9df773673dfe97b9cb07549eacdaf7f20b3aee278536191c45d9348108ca330fa40f6b26a5650939e6f68c070d15215d7e0e30

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d7d1.lnk
        Filesize

        981B

        MD5

        5b21b814147b7173907ba11baa44c155

        SHA1

        e7371e332c93bc99fcada9d58385d2b4504c1608

        SHA256

        f5608e71a80d3c04a3f8a3c7f63829a71cf253161466f02ae4206c837522d0fd

        SHA512

        339bb9606a54fb65f5ae30f692d7a3e99133e6fcde3c8ccd1cda750ba8d1a4878d907395f0c1f60077623def83c97abfcee967679ba4c5dc517fef5a14a2eb28

        Download Submit

      • memory/1532-79-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-80-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-77-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-67-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-75-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-74-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-72-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-78-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-81-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-82-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-76-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-73-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-68-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-69-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-70-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1532-71-0x0000000000200000-0x0000000000341000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1868-11-0x0000000001D80000-0x0000000001E56000-memory.dmp

        Filesize

        856KB

        Download

      • memory/1868-2-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/1868-12-0x0000000001D80000-0x0000000001E56000-memory.dmp

        Filesize

        856KB

        Download

      • memory/1868-8-0x0000000001D80000-0x0000000001E56000-memory.dmp

        Filesize

        856KB

        Download

      • memory/1868-9-0x0000000001D80000-0x0000000001E56000-memory.dmp

        Filesize

        856KB

        Download

      • memory/1868-10-0x0000000001D80000-0x0000000001E56000-memory.dmp

        Filesize

        856KB

        Download

      • memory/1868-7-0x0000000001D80000-0x0000000001E56000-memory.dmp

        Filesize

        856KB

        Download

      • memory/1868-6-0x0000000001D80000-0x0000000001E56000-memory.dmp

        Filesize

        856KB

        Download

      • memory/1868-5-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/1868-4-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2584-46-0x0000000006230000-0x0000000006306000-memory.dmp

        Filesize

        856KB

        Download

      • memory/2584-21-0x0000000006230000-0x0000000006306000-memory.dmp

        Filesize

        856KB

        Download

      • memory/2904-28-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-38-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-37-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-36-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-34-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-33-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-32-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-31-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-30-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-29-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-39-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-40-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-41-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-42-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-44-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-49-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-54-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-58-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-59-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-66-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-47-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-48-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-57-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-60-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-55-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-43-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-35-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-27-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-26-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-24-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2904-23-0x0000000000250000-0x0000000000391000-memory.dmp

        Filesize

        1.3MB

        Download