Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 14:07
Static task
static1
Behavioral task
behavioral1
Sample
e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe
-
Size
586KB
-
MD5
e057f854186af932dc5c4b6cc3b64c9b
-
SHA1
303e8f819f3e0cd7c94182c086f78153e74615e1
-
SHA256
9be0c113fd963f47dcac898e3acb6b0c435ab9e6a8b5885a83b1924f044288d0
-
SHA512
da13f88d41a73a8a6fe8d0de6c9375e1a4fc64c3d944efdc312ad4017f03da1c815e2a843038b2b6759c43b5ea655ca7cca38be055bafec7846d133dbf189196
-
SSDEEP
12288:MMub4J0FyKM9MzzZhpehuP4TysyVtlxF3Z4mxxzi3VHOlxrB:MqJ0FyzEzle8P80bxQmXOlHOlxrB
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral2/memory/2700-32-0x00000000034D0000-0x000000000357E000-memory.dmp modiloader_stage2 behavioral2/memory/2700-35-0x00000000034D0000-0x000000000357E000-memory.dmp modiloader_stage2 behavioral2/memory/2700-46-0x0000000000400000-0x000000000055D000-memory.dmp modiloader_stage2 behavioral2/memory/1668-50-0x0000000000400000-0x000000000055D000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 1668 at.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_at.exe at.exe File opened for modification C:\Windows\SysWOW64\_at.exe at.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1668 set thread context of 1116 1668 at.exe 87 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\at.exe e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\at.exe e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxingDel.bat e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 452 1668 WerFault.exe 86 540 1116 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1116 calc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2700 wrote to memory of 1668 2700 e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe 86 PID 2700 wrote to memory of 1668 2700 e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe 86 PID 2700 wrote to memory of 1668 2700 e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe 86 PID 1668 wrote to memory of 1116 1668 at.exe 87 PID 1668 wrote to memory of 1116 1668 at.exe 87 PID 1668 wrote to memory of 1116 1668 at.exe 87 PID 1668 wrote to memory of 1116 1668 at.exe 87 PID 1668 wrote to memory of 1116 1668 at.exe 87 PID 1668 wrote to memory of 4952 1668 at.exe 89 PID 1668 wrote to memory of 4952 1668 at.exe 89 PID 2700 wrote to memory of 1524 2700 e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe 95 PID 2700 wrote to memory of 1524 2700 e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe 95 PID 2700 wrote to memory of 1524 2700 e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e057f854186af932dc5c4b6cc3b64c9b_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\at.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\at.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
- Suspicious use of UnmapMainImage
PID:1116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 124⤵
- Program crash
PID:540
-
-
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵PID:4952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 6883⤵
- Program crash
PID:452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SxingDel.bat""2⤵
- System Location Discovery: System Language Discovery
PID:1524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1668 -ip 16681⤵PID:4496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1116 -ip 11161⤵PID:3212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5007460bf319cc2b6d779127bb24ce333
SHA1718a9a0fe74291b289fc1bd54b01143923a09ce1
SHA256f38253025022c2a345635e118e7c8b6ff0d9c3cb5bb9b6a4d1a314dea602585e
SHA512535ea2bc6b40f9e7597eac1ae565d670ebb9e7c81849b7eda15cbee05933b466fc16386f9cf5586a6a3a16968e2b90644f842b874f02620773bb01e06afaf79d
-
Filesize
586KB
MD5e057f854186af932dc5c4b6cc3b64c9b
SHA1303e8f819f3e0cd7c94182c086f78153e74615e1
SHA2569be0c113fd963f47dcac898e3acb6b0c435ab9e6a8b5885a83b1924f044288d0
SHA512da13f88d41a73a8a6fe8d0de6c9375e1a4fc64c3d944efdc312ad4017f03da1c815e2a843038b2b6759c43b5ea655ca7cca38be055bafec7846d133dbf189196