Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 21:13
Behavioral task
behavioral1
Sample
e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe
-
Size
282KB
-
MD5
e10bcf6b5e436eb96ad92ac2ef8317df
-
SHA1
bf87fb1f340d751d3ef183c98003903293a51052
-
SHA256
5c2f653066d3a4e0ee0af293b9c3800220603e992a630e9181065aef7c2dc68e
-
SHA512
8b1ffca777c01b4d3768cbcb394f7ec179d22d7cbd61d41f77d631ca765b741aa2a58634843b6dbee093d8591eefb540565a9b5f20434b49976a5d2cee236943
-
SSDEEP
6144:w6LRwbLWfBuCFSvJBpuQiEdsgVwufvUkvKoC5BnQXjdU:TObHCFSvJBpDvG5zmq
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 7 IoCs
resource yara_rule behavioral2/memory/1044-0-0x0000000000400000-0x000000000049B714-memory.dmp modiloader_stage2 behavioral2/files/0x00090000000233f5-4.dat modiloader_stage2 behavioral2/memory/1044-9-0x0000000000400000-0x000000000049B714-memory.dmp modiloader_stage2 behavioral2/memory/4172-10-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral2/memory/4172-15-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral2/memory/4172-16-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral2/memory/4172-22-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\netctrl\Parameters\ServiceDll = "C:\\Windows\\system32\\syst.dll" e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 4172 svchost.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\syst.dll e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\syst.dll e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe File created C:\Windows\SysWOW64\netbackup.exe e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\netbackup.exe e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2096 1044 e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe 90 PID 1044 wrote to memory of 2096 1044 e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe 90 PID 1044 wrote to memory of 2096 1044 e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2096
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k remoteservice1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
246KB
MD52d97751212dc6002c1ffdab8bc0b5311
SHA1af2fa9a124ecd748892f9914342713aa92fda772
SHA256ddd49967b84504e84f02f8cade291af2defba8af09f85513eabb572ef240129e
SHA512be07684de55a9b8b5737831a4ef4653453dd806d4f5364f96c628b0a7503b19f34383130aa6daf35427dbc4f126c68d51cae238d9a1e70bbf7504d0f8aaf05a8