Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2024, 13:25
Static task
static1
Behavioral task
behavioral1
Sample
227fbc9e0fc268c5b5bc11620f427e80_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
227fbc9e0fc268c5b5bc11620f427e80_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
227fbc9e0fc268c5b5bc11620f427e80_JaffaCakes118.exe
-
Size
718KB
-
MD5
227fbc9e0fc268c5b5bc11620f427e80
-
SHA1
6002c7e7bd4bd693a389907292dc9332105705b7
-
SHA256
0e692fadfb06c91d660104ada432ca3268a7c11faaccc6f7b015c47f8dea887c
-
SHA512
d2fff028c4f51fe85eba673cc70304133421e89b01c6de26ab2b85694061aa106f19e1143e2fd53662730e6448c633c1c8c7eb2d7261e4d536494cd4aa2d0932
-
SSDEEP
12288:ZkSFizeGD1h2bGZCS1JHT/LmC3Fo/0F3Z4mxx+DqVTVOCS:ZkxjD3pZ/prt3FosQmXNVTzS
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral2/files/0x000600000002326f-62.dat modiloader_stage2 behavioral2/memory/3040-74-0x00000000009A0000-0x0000000000A57000-memory.dmp modiloader_stage2 behavioral2/memory/2700-78-0x0000000000400000-0x00000000004B7000-memory.dmp modiloader_stage2 behavioral2/memory/4976-77-0x0000000000400000-0x00000000004B7000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 227fbc9e0fc268c5b5bc11620f427e80_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2700 3.exe 4976 rejoice47.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4976 set thread context of 3040 4976 rejoice47.exe 82 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat 3.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe 3.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe 3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C672EB7E-393F-11EF-BA70-C2BABBD8D0A3} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426175033" IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3040 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3040 IEXPLORE.EXE 3040 IEXPLORE.EXE 1192 IEXPLORE.EXE 1192 IEXPLORE.EXE 1192 IEXPLORE.EXE 1192 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4888 wrote to memory of 2700 4888 227fbc9e0fc268c5b5bc11620f427e80_JaffaCakes118.exe 80 PID 4888 wrote to memory of 2700 4888 227fbc9e0fc268c5b5bc11620f427e80_JaffaCakes118.exe 80 PID 4888 wrote to memory of 2700 4888 227fbc9e0fc268c5b5bc11620f427e80_JaffaCakes118.exe 80 PID 2700 wrote to memory of 4976 2700 3.exe 81 PID 2700 wrote to memory of 4976 2700 3.exe 81 PID 2700 wrote to memory of 4976 2700 3.exe 81 PID 4976 wrote to memory of 3040 4976 rejoice47.exe 82 PID 4976 wrote to memory of 3040 4976 rejoice47.exe 82 PID 4976 wrote to memory of 3040 4976 rejoice47.exe 82 PID 2700 wrote to memory of 1064 2700 3.exe 83 PID 2700 wrote to memory of 1064 2700 3.exe 83 PID 2700 wrote to memory of 1064 2700 3.exe 83 PID 3040 wrote to memory of 1192 3040 IEXPLORE.EXE 85 PID 3040 wrote to memory of 1192 3040 IEXPLORE.EXE 85 PID 3040 wrote to memory of 1192 3040 IEXPLORE.EXE 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\227fbc9e0fc268c5b5bc11620f427e80_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\227fbc9e0fc268c5b5bc11620f427e80_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice47.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1192
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""3⤵PID:1064
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122B
MD5c6cbf263f5edd10cbc32e5ef40b33d9e
SHA10073d4bee85f70754c2f6257a32b03a72007d75b
SHA25635939646786fff9edb272c0e6727827b7254419b451a3983c2fd5d7b04bafbad
SHA51261a3ec28a835b9b6c1cfe0cbe8d62972cb98032dad08cf06934dea8e6d7f0d2cd237084e29b201843870ce414590c07a4a7b52819d3d733ed8d99b5387219351
-
Filesize
704KB
MD5740fa7acf08a0c5fd1dd85a421591c6d
SHA134c775ef9c2405cac96a80c9d39330354fed72ef
SHA25603dc94588bd318d9b8c4faddee4de0e014c69a9a18531451d8380fab49d6ac72
SHA51294c29eaabac1cfc0efce08723e6863e11e1c66837c60dbc1791dbf8b583736156886ba80e2844c97b853d19ba2d079786d41514a40318202049616f13bd20567