Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15/06/2024, 09:13
Static task
static1
Behavioral task
behavioral1
Sample
adb4871da80855607760738d9d7670c2_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
adb4871da80855607760738d9d7670c2_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
adb4871da80855607760738d9d7670c2_JaffaCakes118.exe
-
Size
904KB
-
MD5
adb4871da80855607760738d9d7670c2
-
SHA1
07c6d131acd72cb8cc68e51905fdf1a7ef3b92d1
-
SHA256
e5e84f76ada6cdc1d014815b75a2508fbeba5a08372bd1d027b987295ef654a9
-
SHA512
cc40c80aa2acc06e8085e793c4bb715625626dbc78deed45e17b2417393330a38a2aa268d6d95686d50e40a94433e8f7d651d889eab5dd94572bcbc334004c67
-
SSDEEP
24576:eNcBtkZXdep+UH2FZtzyVSHkZcQt6SRHMbP:5eu+UWFPe8evdsbP
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 3 IoCs
resource yara_rule behavioral1/files/0x000d00000001227b-15.dat modiloader_stage1 behavioral1/memory/1200-19-0x0000000000400000-0x0000000000486000-memory.dmp modiloader_stage1 behavioral1/memory/1200-21-0x0000000000400000-0x0000000000486000-memory.dmp modiloader_stage1 -
Executes dropped EXE 1 IoCs
pid Process 1200 msdos.scr -
Loads dropped DLL 4 IoCs
pid Process 2980 adb4871da80855607760738d9d7670c2_JaffaCakes118.exe 2980 adb4871da80855607760738d9d7670c2_JaffaCakes118.exe 2980 adb4871da80855607760738d9d7670c2_JaffaCakes118.exe 2980 adb4871da80855607760738d9d7670c2_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2980 wrote to memory of 1200 2980 adb4871da80855607760738d9d7670c2_JaffaCakes118.exe 28 PID 2980 wrote to memory of 1200 2980 adb4871da80855607760738d9d7670c2_JaffaCakes118.exe 28 PID 2980 wrote to memory of 1200 2980 adb4871da80855607760738d9d7670c2_JaffaCakes118.exe 28 PID 2980 wrote to memory of 1200 2980 adb4871da80855607760738d9d7670c2_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\adb4871da80855607760738d9d7670c2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\adb4871da80855607760738d9d7670c2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\msdos.scr"C:\Users\Admin\AppData\Local\Temp\msdos.scr" /S2⤵
- Executes dropped EXE
PID:1200
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1010KB
MD5443ac263ce403bc1233f82b1ecdcd33a
SHA1baaf21d078f9de6ec0b16b17c9b9e3240352164a
SHA2569743874e33d5932c767cedea36218005b47204eabd57d00882245dd72ebf4fda
SHA512b70f30a65bcf439ab6bafadabdbf92c7c864fe02308da6c5264c3f2e7a125d16d0791dd3f8fe0352f21d5cea55a70a2aa6bdd7c3316707b65958dd7b2926efb1
-
Filesize
514KB
MD555d29aedcaa8857c64b606d367c560b5
SHA102d6cb238a3ae15e9a8c1178d5d63d437b6f798c
SHA2563870b801527efb88b26364ac518c682ebb5593096efb26b609be56737767d731
SHA51238bbd1ef87d754ae06f0e44e0c7d065b5044aa666fa9e4e8fb0d9e390a8861a6ce4bd2b15d1c47d9c1a9bf0dc4701b5aeed2116963c2d451c9ff0b5553a86f39