Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

073b159eb8...18.exe

windows7-x64

10

073b159eb8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    20/06/2024, 15:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    073b159eb8e8458f0f130191a8edcbce_JaffaCakes118.exe

  • Size

    108KB

  • MD5

    073b159eb8e8458f0f130191a8edcbce

  • SHA1

    088aa82107fd6e669c350269ca3c4f75a73bfb6b

  • SHA256

    548f3abab155389d2df54938b04d56a662a8a0d49728b25828eb9e9be04b551e

  • SHA512

    9bf78abe09ea2fbfeb08b2fa4e1c8492557d0e2df85e78e19a4a98fbdbd72904777f1b8a73f9641ea2f337a58b8889b22768ff072fb023bdd95e10ea7f6bcd32

  • SSDEEP

    3072:Coy8j7VnNdrPHaSekwi+mW+2yL4RFout:S8jZ7rvaU3+mWryL4voS

Score
10/10
modiloaderevasionpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 17 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\073b159eb8e8458f0f130191a8edcbce_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\073b159eb8e8458f0f130191a8edcbce_JaffaCakes118.exe"
    1⤵
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\mstwain32.exe
      "C:\Windows\mstwain32.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:2828
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2224

Network

  • flag-us
    DNS
    AGFA.ZAPTO.ORG
    mstwain32.exe
    Remote address:
    8.8.8.8:53
    Request
    AGFA.ZAPTO.ORG
    IN A
    Response
    AGFA.ZAPTO.ORG
    IN A
    94.73.22.187
  • flag-us
    DNS
    AGFA.ZAPTO.ORG
    mstwain32.exe
    Remote address:
    8.8.8.8:53
    Request
    AGFA.ZAPTO.ORG
    IN A
    Response
    AGFA.ZAPTO.ORG
    IN A
    94.73.22.187
  • flag-us
    DNS
    AGFA.ZAPTO.ORG
    mstwain32.exe
    Remote address:
    8.8.8.8:53
    Request
    AGFA.ZAPTO.ORG
    IN A
    Response
    AGFA.ZAPTO.ORG
    IN A
    94.73.22.187
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    152 B
     3
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    152 B
     3
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    152 B
     3
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    152 B
     3
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    152 B
     3
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    152 B
     3
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    152 B
     3
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    152 B
     3
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    152 B
     3
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    152 B
     3
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    152 B
     3
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    152 B
     3
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    152 B
     3
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    152 B
     3
  • 94.73.22.187:15963
    AGFA.ZAPTO.ORG
    mstwain32.exe
    52 B
     1
  • 8.8.8.8:53
    AGFA.ZAPTO.ORG
    dns
    mstwain32.exe
    60 B
     76 B
     1
    1

    DNS Request

    AGFA.ZAPTO.ORG

    DNS Response

    94.73.22.187

  • 8.8.8.8:53
    AGFA.ZAPTO.ORG
    dns
    mstwain32.exe
    60 B
     76 B
     1
    1

    DNS Request

    AGFA.ZAPTO.ORG

    DNS Response

    94.73.22.187

  • 8.8.8.8:53
    AGFA.ZAPTO.ORG
    dns
    mstwain32.exe
    60 B
     76 B
     1
    1

    DNS Request

    AGFA.ZAPTO.ORG

    DNS Response

    94.73.22.187

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mstwain32.exe
    Filesize

    108KB

    MD5

    073b159eb8e8458f0f130191a8edcbce

    SHA1

    088aa82107fd6e669c350269ca3c4f75a73bfb6b

    SHA256

    548f3abab155389d2df54938b04d56a662a8a0d49728b25828eb9e9be04b551e

    SHA512

    9bf78abe09ea2fbfeb08b2fa4e1c8492557d0e2df85e78e19a4a98fbdbd72904777f1b8a73f9641ea2f337a58b8889b22768ff072fb023bdd95e10ea7f6bcd32

    Download Submit

  • memory/2036-12-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2036-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2036-5-0x0000000001F40000-0x0000000001F50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2036-0-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-26-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-30-0x0000000075DB0000-0x0000000075EA0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2828-18-0x0000000000490000-0x000000000049E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2828-21-0x0000000075DB0000-0x0000000075EA0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2828-20-0x0000000075DC0000-0x0000000075DC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2828-23-0x00000000002C0000-0x00000000002C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2828-22-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-24-0x0000000000490000-0x000000000049E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2828-25-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-13-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-29-0x0000000075DB0000-0x0000000075EA0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2828-17-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2828-31-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-34-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-37-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-41-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-44-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-47-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-50-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-53-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-56-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-59-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-62-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2828-65-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.