Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

df17a77c9a...18.exe

windows7-x64

10

df17a77c9a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe

  • Size

    24KB

  • MD5

    df17a77c9a575cf2b8e44ab0327ddb95

  • SHA1

    5f2fa75f4ac910655d072cf8220bfaf881934ce8

  • SHA256

    20ee225638888e90f83ceab5598db6e6a9ce851b7b8d0f24336a70be72e0790e

  • SHA512

    0a0d8596c4a2169f62d88b50ab8a80d14499da11c978e760df4729335934cd7cb76296b857829af8b8598d56bb8519c496810ca9bb1e8100bda5d619b99564c8

  • SSDEEP

    384:qlrKj7WmwdFCQkjOGXi3jBiS/gcHUEdCiNDDiz/elc1TL2c10s:q4jhwPCPOGXoD8iNc/91TL2W5

Score
10/10
modiloaderdiscoverytrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\winwl.exe
      C:\Windows\winwl.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\kulionwl.dll
    Filesize

    28KB

    MD5

    1a6331dd009d31918aa54631a57b0215

    SHA1

    69deb1a87c84079e52c6c28baa8cc76f0b098e07

    SHA256

    44ea0810af4f9ed0f792a8b102fcfea5171f4a4f221ba2568d5dd739f01c6dd4

    SHA512

    a9935da3e8ad99d4e56712379d5c25aef242f785954fea569485180f1e7400e3c7b107cbcc7ab7b3bb98bdc3dea521ae0c21aa5773ac4e0276e55c33c3fc24ee

    Download Submit

  • C:\Windows\winwl.exe
    Filesize

    24KB

    MD5

    df17a77c9a575cf2b8e44ab0327ddb95

    SHA1

    5f2fa75f4ac910655d072cf8220bfaf881934ce8

    SHA256

    20ee225638888e90f83ceab5598db6e6a9ce851b7b8d0f24336a70be72e0790e

    SHA512

    0a0d8596c4a2169f62d88b50ab8a80d14499da11c978e760df4729335934cd7cb76296b857829af8b8598d56bb8519c496810ca9bb1e8100bda5d619b99564c8

    Download Submit

  • memory/2376-13-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2376-10-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2412-0-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2412-14-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2412-9-0x0000000000220000-0x0000000000242000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2412-8-0x0000000000220000-0x0000000000242000-memory.dmp

    Filesize

    136KB

    Download