Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 04:25
Behavioral task
behavioral1
Sample
ddab607e406690a2db69339a28754966_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ddab607e406690a2db69339a28754966_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ddab607e406690a2db69339a28754966_JaffaCakes118.exe
-
Size
548KB
-
MD5
ddab607e406690a2db69339a28754966
-
SHA1
5a081f942311f0710e4541d710ca2fb273ca617d
-
SHA256
db8411fd206557d38a0c92aecda34b7cc27a2a1b97e6cb49daa45d3b78a6fd10
-
SHA512
909be3bd09e40c627ec586b32e10c4b52977dd1074a74aa5138ef56596af1bb549bfc7e20e0dc23647763c8439d2af9e3e5c2f77d963a6a52b46a32833a1d6c8
-
SSDEEP
12288:0YnBSkuVUeZdYqwTTJHoSIBI3FIiSH61fzIrQEv/rGh6oPkrF4:hSkuiqwTdXtS98EiDQF4
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 5 IoCs
resource yara_rule behavioral2/memory/3408-0-0x0000000000400000-0x0000000000469000-memory.dmp modiloader_stage2 behavioral2/files/0x000500000001db65-6.dat modiloader_stage2 behavioral2/memory/3804-11-0x0000000000400000-0x0000000000469000-memory.dmp modiloader_stage2 behavioral2/memory/3408-13-0x0000000000400000-0x0000000000469000-memory.dmp modiloader_stage2 behavioral2/memory/3804-29-0x0000000000400000-0x0000000000469000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation ddab607e406690a2db69339a28754966_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 3804 mstwain32.exe -
Executes dropped EXE 1 IoCs
pid Process 3804 mstwain32.exe -
Loads dropped DLL 4 IoCs
pid Process 3804 mstwain32.exe 3804 mstwain32.exe 3804 mstwain32.exe 3804 mstwain32.exe -
resource yara_rule behavioral2/memory/3408-0-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/files/0x000500000001db65-6.dat upx behavioral2/memory/3804-11-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3408-13-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral2/memory/3804-29-0x0000000000400000-0x0000000000469000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ddab607e406690a2db69339a28754966_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\mstwain32.exe ddab607e406690a2db69339a28754966_JaffaCakes118.exe File opened for modification C:\Windows\mstwain32.exe ddab607e406690a2db69339a28754966_JaffaCakes118.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddab607e406690a2db69339a28754966_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3408 ddab607e406690a2db69339a28754966_JaffaCakes118.exe Token: SeBackupPrivilege 4164 vssvc.exe Token: SeRestorePrivilege 4164 vssvc.exe Token: SeAuditPrivilege 4164 vssvc.exe Token: SeDebugPrivilege 3804 mstwain32.exe Token: SeDebugPrivilege 3804 mstwain32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3408 ddab607e406690a2db69339a28754966_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3804 mstwain32.exe 3804 mstwain32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3408 wrote to memory of 3804 3408 ddab607e406690a2db69339a28754966_JaffaCakes118.exe 89 PID 3408 wrote to memory of 3804 3408 ddab607e406690a2db69339a28754966_JaffaCakes118.exe 89 PID 3408 wrote to memory of 3804 3408 ddab607e406690a2db69339a28754966_JaffaCakes118.exe 89 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddab607e406690a2db69339a28754966_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ddab607e406690a2db69339a28754966_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\ddab607e406690a2db69339a28754966_JaffaCakes118.exe"2⤵
- UAC bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3804
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4164
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD503a9e3bce960139d5c1c8123ee2df259
SHA139d832fc65cd030739ca8f9f1cd68dcc59305aa5
SHA256ad4ccc7a1d44837701ffd5003748b821ebc9f2fe078eb0feed15c7302411d416
SHA512c17f8f8e134484e81453a42fb16d1785252c78a6249f2ed0843f20144af6a160c2fe165a0a22d3363dc04fdb97f2e7ce6399be77e2a885a3dad755ed785c9e8a
-
Filesize
548KB
MD5ddab607e406690a2db69339a28754966
SHA15a081f942311f0710e4541d710ca2fb273ca617d
SHA256db8411fd206557d38a0c92aecda34b7cc27a2a1b97e6cb49daa45d3b78a6fd10
SHA512909be3bd09e40c627ec586b32e10c4b52977dd1074a74aa5138ef56596af1bb549bfc7e20e0dc23647763c8439d2af9e3e5c2f77d963a6a52b46a32833a1d6c8
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350