Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 04:44
Static task
static1
Behavioral task
behavioral1
Sample
e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe
-
Size
304KB
-
MD5
e1b9c7784255dea11ef8d1cd7793c47d
-
SHA1
71308a72359b67c25f78b160840d96a1b80dea9e
-
SHA256
88b22f75787681796246c4600f3576e324f49c2bf8a3a64e475892d4dd52a224
-
SHA512
506dd104e3e0c6a0800db9895849519eda4badb5a7f30f98968f5e7df3d973aa2e4ac5a8da2d63cbf4fc1a7a3e218e9d46c3ec8fd71715e63645f40fcd3a5e7e
-
SSDEEP
6144:MC0HgFlIc9W4CivQsPIEBRig+RvMTz9hTdtiRVfuL9OQ3v:CHg/Ic9DtRuRkTz9JdWVQz/
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 5 IoCs
resource yara_rule behavioral1/memory/276-2-0x0000000000400000-0x0000000000517000-memory.dmp modiloader_stage2 behavioral1/memory/2472-16-0x0000000000400000-0x0000000000517000-memory.dmp modiloader_stage2 behavioral1/memory/276-20-0x0000000000400000-0x0000000000517000-memory.dmp modiloader_stage2 behavioral1/memory/2472-35-0x0000000000400000-0x0000000000517000-memory.dmp modiloader_stage2 behavioral1/memory/276-36-0x0000000000400000-0x0000000000517000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 2784 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2472 time.exe -
Loads dropped DLL 2 IoCs
pid Process 276 e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe 276 e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_time.exe time.exe File opened for modification C:\Windows\SysWOW64\_time.exe time.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2472 set thread context of 2752 2472 time.exe 32 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language time.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 276 wrote to memory of 2472 276 e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe 31 PID 276 wrote to memory of 2472 276 e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe 31 PID 276 wrote to memory of 2472 276 e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe 31 PID 276 wrote to memory of 2472 276 e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe 31 PID 2472 wrote to memory of 2752 2472 time.exe 32 PID 2472 wrote to memory of 2752 2472 time.exe 32 PID 2472 wrote to memory of 2752 2472 time.exe 32 PID 2472 wrote to memory of 2752 2472 time.exe 32 PID 2472 wrote to memory of 2752 2472 time.exe 32 PID 2472 wrote to memory of 2752 2472 time.exe 32 PID 276 wrote to memory of 2784 276 e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe 33 PID 276 wrote to memory of 2784 276 e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe 33 PID 276 wrote to memory of 2784 276 e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe 33 PID 276 wrote to memory of 2784 276 e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e1b9c7784255dea11ef8d1cd7793c47d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\time.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵PID:2752
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DelSvel.bat""2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD504af9db1415ca5493c0906a17d659851
SHA142a5121392a06f50c38e9478e545e73588d55a96
SHA256ea3c759312473c75fe6f47167dc8ea48d94139168b8334e96f73fd9f78a2a047
SHA512eaef19c63992ce2d045394cc1e9a1f778b9d1452b2df194fe50e3b0d1d963770db0bb42b9d7388f18a614ee789c30e82d05e0dc928d7b36772fe7865eab1eac3
-
Filesize
304KB
MD5e1b9c7784255dea11ef8d1cd7793c47d
SHA171308a72359b67c25f78b160840d96a1b80dea9e
SHA25688b22f75787681796246c4600f3576e324f49c2bf8a3a64e475892d4dd52a224
SHA512506dd104e3e0c6a0800db9895849519eda4badb5a7f30f98968f5e7df3d973aa2e4ac5a8da2d63cbf4fc1a7a3e218e9d46c3ec8fd71715e63645f40fcd3a5e7e