Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 23:30
Static task
static1
Behavioral task
behavioral1
Sample
df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe
-
Size
24KB
-
MD5
df17a77c9a575cf2b8e44ab0327ddb95
-
SHA1
5f2fa75f4ac910655d072cf8220bfaf881934ce8
-
SHA256
20ee225638888e90f83ceab5598db6e6a9ce851b7b8d0f24336a70be72e0790e
-
SHA512
0a0d8596c4a2169f62d88b50ab8a80d14499da11c978e760df4729335934cd7cb76296b857829af8b8598d56bb8519c496810ca9bb1e8100bda5d619b99564c8
-
SSDEEP
384:qlrKj7WmwdFCQkjOGXi3jBiS/gcHUEdCiNDDiz/elc1TL2c10s:q4jhwPCPOGXoD8iNc/91TL2W5
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/2412-14-0x0000000000400000-0x0000000000422000-memory.dmp modiloader_stage2 behavioral1/memory/2376-13-0x0000000000400000-0x0000000000422000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2376 winwl.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\kulionwl.dll df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe File created C:\Windows\winwl.exe df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe File opened for modification C:\Windows\winwl.exe df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe File created C:\Windows\kulionwl.dll winwl.exe File created C:\Windows\winwl.exe winwl.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winwl.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2376 2412 df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe 29 PID 2412 wrote to memory of 2376 2412 df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe 29 PID 2412 wrote to memory of 2376 2412 df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe 29 PID 2412 wrote to memory of 2376 2412 df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\df17a77c9a575cf2b8e44ab0327ddb95_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\winwl.exeC:\Windows\winwl.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD51a6331dd009d31918aa54631a57b0215
SHA169deb1a87c84079e52c6c28baa8cc76f0b098e07
SHA25644ea0810af4f9ed0f792a8b102fcfea5171f4a4f221ba2568d5dd739f01c6dd4
SHA512a9935da3e8ad99d4e56712379d5c25aef242f785954fea569485180f1e7400e3c7b107cbcc7ab7b3bb98bdc3dea521ae0c21aa5773ac4e0276e55c33c3fc24ee
-
Filesize
24KB
MD5df17a77c9a575cf2b8e44ab0327ddb95
SHA15f2fa75f4ac910655d072cf8220bfaf881934ce8
SHA25620ee225638888e90f83ceab5598db6e6a9ce851b7b8d0f24336a70be72e0790e
SHA5120a0d8596c4a2169f62d88b50ab8a80d14499da11c978e760df4729335934cd7cb76296b857829af8b8598d56bb8519c496810ca9bb1e8100bda5d619b99564c8