Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 12:21
Static task
static1
Behavioral task
behavioral1
Sample
1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe
-
Size
60KB
-
MD5
1a1871d24c9a060974d7ea8e1ee2f3be
-
SHA1
5cc14cd80cf0ff2b167d569f7abeaa4ad4edd263
-
SHA256
bb5883e8b4d6e8242a50addb4ac6e1f4e8b4773fc0ca60137efa37e18cb7651d
-
SHA512
eae61512c7bcfd138c1a9cfbe31522fb114472708daa1793f7333f88486f63828584fadcda744c50f2310f147723061ade6b562f8ff0b42d75db4da0a4716bf3
-
SSDEEP
1536:7m7wjsVTJ+p3JrkGLawHE/E2j+Ei+Hj2aBzybXNEH8YcdVuP:A+sVT45mn/bjni8DBebXNA8YuuP
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/2180-3-0x0000000000400000-0x000000000042102D-memory.dmp modiloader_stage2 behavioral1/files/0x000c00000001227b-7.dat modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 2208 temp.exe 2248 tcpip.exe -
Loads dropped DLL 2 IoCs
pid Process 760 cmd.exe 760 cmd.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\tcpip.exe temp.exe File created C:\Windows\SysWOW64\bbbbbbbbbbb.bat temp.exe File created C:\Windows\SysWOW64\wwinsystem.dll tcpip.exe File created C:\Windows\SysWOW64\tcpip.exe temp.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2180 1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe 2180 1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe 2208 temp.exe 2208 temp.exe 2208 temp.exe 2208 temp.exe 2248 tcpip.exe 2248 tcpip.exe 2248 tcpip.exe 2248 tcpip.exe 2208 temp.exe 2208 temp.exe 2208 temp.exe 2208 temp.exe 2248 tcpip.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2208 temp.exe Token: SeDebugPrivilege 2248 tcpip.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2180 wrote to memory of 760 2180 1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe 28 PID 2180 wrote to memory of 760 2180 1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe 28 PID 2180 wrote to memory of 760 2180 1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe 28 PID 2180 wrote to memory of 760 2180 1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe 28 PID 760 wrote to memory of 2208 760 cmd.exe 30 PID 760 wrote to memory of 2208 760 cmd.exe 30 PID 760 wrote to memory of 2208 760 cmd.exe 30 PID 760 wrote to memory of 2208 760 cmd.exe 30 PID 2208 wrote to memory of 2120 2208 temp.exe 32 PID 2208 wrote to memory of 2120 2208 temp.exe 32 PID 2208 wrote to memory of 2120 2208 temp.exe 32 PID 2208 wrote to memory of 2120 2208 temp.exe 32 PID 2248 wrote to memory of 1200 2248 tcpip.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a1871d24c9a060974d7ea8e1ee2f3be_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\temp.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\temp.exeC:\Users\Admin\AppData\Local\Temp\temp.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\bbbbbbbbbbb.bat5⤵PID:2120
-
-
-
-
-
C:\Windows\SysWOW64\tcpip.exeC:\Windows\SysWOW64\tcpip.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5525bad80767be776bad88b697a878b09
SHA1f9d1b62f325b86346224f1d206d1a9b062957bfd
SHA256f96c1d02cda03f85e2bb00c91934e3b11566c2f0ec018756045b732a033ba97f
SHA512b31a86463f28156a07661484c54a40619d88c7aa6f3b412e7fa66a11494470ad5b32276a177235b30a010173708205bd413f736face69606dbabe45ca9adaed9
-
Filesize
142B
MD553c15f9d357cfc1f0225894d022d38a0
SHA18072a611daf361d643d68d541a7201b7b9deda61
SHA2566addadfa58eb068cc0d7a34fd225855168a1efc7e52ca6a6400c12b1a492f274
SHA5125dfa29e8fca646e0faadf4632e301be4918d256e7a9713f689b3d082ca2922843d12bad825516f02916b2405e1741a08bd8cb1944880ded175271b5f2541e407