Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 23:13
Static task
static1
Behavioral task
behavioral1
Sample
b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe
-
Size
21KB
-
MD5
b13b6e28e3e02a62d42c09aca347a56e
-
SHA1
6c1f69df7b9895e3247e369ece09a2bb43570475
-
SHA256
a46f03ae4f900892f68811a37e0d87ed9ef37cf316e5afd2c27d82cba3deb008
-
SHA512
72d0b79404fa6a45714b1de77268c5a4dcf9b2d0707b1e5c6d7b7a2b269d94a780be829bfc497b4d4a2b60cccdcc6034a2de8408759880c4ad16572ce4cede0e
-
SSDEEP
192:syrNCkGOuZJUAy7A4afcKK79y0BZOoWxZokqUYJLGiliH2JFPEY52MnHVhMYngMX:syrNNGOul14PQtZ5ilvL5bgHOS37Zyg
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/1716-12-0x0000000000400000-0x0000000000415000-memory.dmp modiloader_stage2 behavioral1/memory/2112-16-0x0000000000400000-0x0000000000415000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 2552 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2112 tcpip.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\tcpip.exe b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tcpip.exe b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe File created C:\Windows\SysWOW64\CABSDE.bat b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe File created C:\Windows\SysWOW64\portable.dll tcpip.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tcpip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1716 b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe 1716 b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe 1716 b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe 1716 b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe 1716 b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe 1716 b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe 1716 b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe 1716 b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe 2112 tcpip.exe 2112 tcpip.exe 2112 tcpip.exe 2112 tcpip.exe 2112 tcpip.exe 2112 tcpip.exe 2112 tcpip.exe 2112 tcpip.exe 1716 b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe 2112 tcpip.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1716 b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe Token: SeDebugPrivilege 2112 tcpip.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1716 wrote to memory of 2552 1716 b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe 31 PID 1716 wrote to memory of 2552 1716 b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe 31 PID 1716 wrote to memory of 2552 1716 b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe 31 PID 1716 wrote to memory of 2552 1716 b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe 31 PID 2112 wrote to memory of 1184 2112 tcpip.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b13b6e28e3e02a62d42c09aca347a56e_JaffaCakes118.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\CABSDE.bat3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2552
-
-
-
C:\Windows\SysWOW64\tcpip.exeC:\Windows\SysWOW64\tcpip.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214B
MD59436179d6f8994d035a8b811140b7887
SHA1916f4685ec8b6b598461d678c195029cd6fa6613
SHA2560ae8ef73d41c827307e08b64e77254ff9b284c3c8fe609a81f0f42e185d981fe
SHA512feff1c5257fdca2958f967d30a760632f3a08070adc26c705b01f80bbc3dfe19d41463251dbb6d318ae931525380229110b9948c6500b092bf251b2b47f9a53e
-
Filesize
21KB
MD5b13b6e28e3e02a62d42c09aca347a56e
SHA16c1f69df7b9895e3247e369ece09a2bb43570475
SHA256a46f03ae4f900892f68811a37e0d87ed9ef37cf316e5afd2c27d82cba3deb008
SHA51272d0b79404fa6a45714b1de77268c5a4dcf9b2d0707b1e5c6d7b7a2b269d94a780be829bfc497b4d4a2b60cccdcc6034a2de8408759880c4ad16572ce4cede0e