Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 21:13

General

  • Target

    e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe

  • Size

    282KB

  • MD5

    e10bcf6b5e436eb96ad92ac2ef8317df

  • SHA1

    bf87fb1f340d751d3ef183c98003903293a51052

  • SHA256

    5c2f653066d3a4e0ee0af293b9c3800220603e992a630e9181065aef7c2dc68e

  • SHA512

    8b1ffca777c01b4d3768cbcb394f7ec179d22d7cbd61d41f77d631ca765b741aa2a58634843b6dbee093d8591eefb540565a9b5f20434b49976a5d2cee236943

  • SSDEEP

    6144:w6LRwbLWfBuCFSvJBpuQiEdsgVwufvUkvKoC5BnQXjdU:TObHCFSvJBpDvG5zmq

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 7 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\e10bcf6b5e436eb96ad92ac2ef8317df_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2096
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k remoteservice
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:4172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\syst.dll

    Filesize

    246KB

    MD5

    2d97751212dc6002c1ffdab8bc0b5311

    SHA1

    af2fa9a124ecd748892f9914342713aa92fda772

    SHA256

    ddd49967b84504e84f02f8cade291af2defba8af09f85513eabb572ef240129e

    SHA512

    be07684de55a9b8b5737831a4ef4653453dd806d4f5364f96c628b0a7503b19f34383130aa6daf35427dbc4f126c68d51cae238d9a1e70bbf7504d0f8aaf05a8

  • memory/1044-0-0x0000000000400000-0x000000000049B714-memory.dmp

    Filesize

    621KB

  • memory/1044-1-0x000000000045A000-0x000000000045D000-memory.dmp

    Filesize

    12KB

  • memory/1044-9-0x0000000000400000-0x000000000049B714-memory.dmp

    Filesize

    621KB

  • memory/4172-10-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/4172-15-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/4172-16-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/4172-22-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB