Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
26s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 02:10
Static task
static1
Behavioral task
behavioral1
Sample
ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe
-
Size
264KB
-
MD5
ad8001f4331f0e3bc24808981425b799
-
SHA1
31744f6da6e372581819a9c201223b5955b1c035
-
SHA256
af5b42def8c31a29a0e9b3b1fe012fe1242576b6b7363ef284f00585db2cf216
-
SHA512
5984ce4d32f63287cefe394150246b0ad677543f70b2eea2ab5c24ed608343c0605de7d249ca392e3605003701898b1c3dbe03e63618fad89753a2aeea7adb41
-
SSDEEP
3072:Lh8YRHE5GsBZCu9MxOLMJj9A0XSQooWzI3jnmyd1mUDPekZ/eUXyHAQyVWCSWFyQ:18C0GAZCvac7SiZjJ7beUXy0Vzy+FE8F
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 5 IoCs
resource yara_rule behavioral1/memory/2268-9-0x0000000020000000-0x0000000020047000-memory.dmp modiloader_stage2 behavioral1/memory/2240-12-0x0000000000400000-0x000000000047C000-memory.dmp modiloader_stage2 behavioral1/memory/2240-27-0x0000000000400000-0x000000000047C000-memory.dmp modiloader_stage2 behavioral1/memory/2264-38-0x0000000020000000-0x0000000020047000-memory.dmp modiloader_stage2 behavioral1/memory/2908-50-0x0000000000400000-0x000000000047C000-memory.dmp modiloader_stage2 -
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\smss.exe ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe File created C:\Windows\SysWOW64\drivers\smss.exe_ smss.exe File opened for modification C:\Windows\SysWOW64\drivers\smss.exe_ smss.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SP2.lnk ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2264 smss.exe 2908 smss.exe -
Loads dropped DLL 3 IoCs
pid Process 2240 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe 2240 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe 2240 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2240-10-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/2240-12-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/2240-11-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/2240-7-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/2240-6-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/2240-27-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/2908-41-0x0000000000400000-0x000000000047C000-memory.dmp upx behavioral1/memory/2908-50-0x0000000000400000-0x000000000047C000-memory.dmp upx -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2268 set thread context of 2240 2268 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe 30 PID 2264 set thread context of 2908 2264 smss.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2240 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2240 2268 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2240 2268 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2240 2268 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2240 2268 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2240 2268 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe 30 PID 2268 wrote to memory of 2240 2268 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe 30 PID 2240 wrote to memory of 2264 2240 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe 31 PID 2240 wrote to memory of 2264 2240 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe 31 PID 2240 wrote to memory of 2264 2240 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe 31 PID 2240 wrote to memory of 2264 2240 ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe 31 PID 2264 wrote to memory of 2908 2264 smss.exe 32 PID 2264 wrote to memory of 2908 2264 smss.exe 32 PID 2264 wrote to memory of 2908 2264 smss.exe 32 PID 2264 wrote to memory of 2908 2264 smss.exe 32 PID 2264 wrote to memory of 2908 2264 smss.exe 32 PID 2264 wrote to memory of 2908 2264 smss.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ad8001f4331f0e3bc24808981425b799_JaffaCakes118.exe2⤵
- Drops file in Drivers directory
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\drivers\smss.exeC:\Windows\system32\drivers\smss.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\drivers\smss.exeC:\Windows\SysWOW64\drivers\smss.exe4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5ad8001f4331f0e3bc24808981425b799
SHA131744f6da6e372581819a9c201223b5955b1c035
SHA256af5b42def8c31a29a0e9b3b1fe012fe1242576b6b7363ef284f00585db2cf216
SHA5125984ce4d32f63287cefe394150246b0ad677543f70b2eea2ab5c24ed608343c0605de7d249ca392e3605003701898b1c3dbe03e63618fad89753a2aeea7adb41