Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09/09/2024, 08:39
Static task
static1
Behavioral task
behavioral1
Sample
d5f7dcba1f4b7b7659742305e4fcc41f_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
d5f7dcba1f4b7b7659742305e4fcc41f_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d5f7dcba1f4b7b7659742305e4fcc41f_JaffaCakes118.exe
-
Size
590KB
-
MD5
d5f7dcba1f4b7b7659742305e4fcc41f
-
SHA1
4dac1f030d66273ee13934a5f9ec0ba1951847a2
-
SHA256
2ef7d74625d62840d77464481e128e0b2f835043852e08413716b7dbb5b1135a
-
SHA512
ce62e51fb7ae2cdd0f203dc0c3616814e7af298e6aa72584470f276081a2b626936872f2c5fdd28f5605fd9560614617f0c28e160f8d21db34418287e376d7d6
-
SSDEEP
12288:owDDh8iktuS3BuLr5+OWJSR4FktF3Z4mxx6hsV4AOwf7DGj7XQs:ow/6juSxuPUSKutQmXYYtfujJ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2628-57-0x0000000013140000-0x0000000013209000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2628 4.exe -
Loads dropped DLL 6 IoCs
pid Process 2572 d5f7dcba1f4b7b7659742305e4fcc41f_JaffaCakes118.exe 2572 d5f7dcba1f4b7b7659742305e4fcc41f_JaffaCakes118.exe 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d5f7dcba1f4b7b7659742305e4fcc41f_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process 2772 2628 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5f7dcba1f4b7b7659742305e4fcc41f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2628 2572 d5f7dcba1f4b7b7659742305e4fcc41f_JaffaCakes118.exe 31 PID 2572 wrote to memory of 2628 2572 d5f7dcba1f4b7b7659742305e4fcc41f_JaffaCakes118.exe 31 PID 2572 wrote to memory of 2628 2572 d5f7dcba1f4b7b7659742305e4fcc41f_JaffaCakes118.exe 31 PID 2572 wrote to memory of 2628 2572 d5f7dcba1f4b7b7659742305e4fcc41f_JaffaCakes118.exe 31 PID 2628 wrote to memory of 2772 2628 4.exe 32 PID 2628 wrote to memory of 2772 2628 4.exe 32 PID 2628 wrote to memory of 2772 2628 4.exe 32 PID 2628 wrote to memory of 2772 2628 4.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5f7dcba1f4b7b7659742305e4fcc41f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d5f7dcba1f4b7b7659742305e4fcc41f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1563⤵
- Loads dropped DLL
- Program crash
PID:2772
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
221KB
MD5a16a4b5f68b877f7dc0909ff4e10db3e
SHA16a357ca3a94f39c865e5c98187a2f5ee1607ea6d
SHA2561f905fb895828aba74f3f296ae2eafe3f0deeb62ab48c5258a487d18f6f5d8c0
SHA51260a55f7f91e2c0d5047dfe22b71079fa92465c762ebcdc952cba9cee6c57c3f7b9a38870d31529efe7fa976e0b78f2d1f19ab6138d9ac286fb229e498385568d