Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 21:05
Static task
static1
Behavioral task
behavioral1
Sample
dee67ad2022a50c9a850345f9f3039ad_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dee67ad2022a50c9a850345f9f3039ad_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
dee67ad2022a50c9a850345f9f3039ad_JaffaCakes118.exe
-
Size
701KB
-
MD5
dee67ad2022a50c9a850345f9f3039ad
-
SHA1
3e4c82e2ad7dbf797c2d1af1c41939c7147233ac
-
SHA256
797912761cf52fc44dda12c6fa8a0027c92ab06c9c17eb63130d0b6934b7c3f9
-
SHA512
06533c800facb33e67ecc99fad16fe7176705e7efde64c7edd0f4aa9c3c5c5c10d302989dc14cae992be23bdd5ea3e45de6048bd6658a0be8ac51abbede0e90a
-
SSDEEP
12288:Y25vFB7a36YOZ0BHNpFhZ+ylXjDuNKTh41c2obY7N3PocPj:DxX86HMHNpF3HuNKlqochfocPj
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral2/memory/3952-19-0x0000000000400000-0x0000000000521000-memory.dmp modiloader_stage2 behavioral2/memory/4144-27-0x0000000000400000-0x0000000000521000-memory.dmp modiloader_stage2 behavioral2/memory/3952-28-0x0000000000400000-0x0000000000521000-memory.dmp modiloader_stage2 behavioral2/memory/4144-31-0x0000000000400000-0x0000000000521000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 3952 8_LHEX~1.EXE 4144 srever.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dee67ad2022a50c9a850345f9f3039ad_JaffaCakes118.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\srever.exe 8_LHEX~1.EXE File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\srever.exe 8_LHEX~1.EXE -
Program crash 1 IoCs
pid pid_target Process procid_target 5084 4144 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dee67ad2022a50c9a850345f9f3039ad_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8_LHEX~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language srever.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1768 wrote to memory of 3952 1768 dee67ad2022a50c9a850345f9f3039ad_JaffaCakes118.exe 84 PID 1768 wrote to memory of 3952 1768 dee67ad2022a50c9a850345f9f3039ad_JaffaCakes118.exe 84 PID 1768 wrote to memory of 3952 1768 dee67ad2022a50c9a850345f9f3039ad_JaffaCakes118.exe 84 PID 3952 wrote to memory of 4144 3952 8_LHEX~1.EXE 87 PID 3952 wrote to memory of 4144 3952 8_LHEX~1.EXE 87 PID 3952 wrote to memory of 4144 3952 8_LHEX~1.EXE 87 PID 4144 wrote to memory of 4020 4144 srever.exe 88 PID 4144 wrote to memory of 4020 4144 srever.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\dee67ad2022a50c9a850345f9f3039ad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dee67ad2022a50c9a850345f9f3039ad_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\8_LHEX~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\8_LHEX~1.EXE2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\srever.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\srever.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"4⤵PID:4020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 6244⤵
- Program crash
PID:5084
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4144 -ip 41441⤵PID:212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
387KB
MD5339c098612d9d5e191ff1ed1cf79e407
SHA14100a767a69410dc46e0cedf9271b19fd77daba5
SHA25693c876b2084c1f27fd1a23e54e3199c4a180303a5648c90d234d86a3f19f8522
SHA5127801e6a24a9a349293d254a3a4bffa62765cb7bf5749a4743a20854adf501acf33ef746a92fc410aad056d3398367607b142a2ab141d09517aa182670776261e