Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
15/09/2024, 15:56
General
-
Target
e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe
-
Size
63KB
-
MD5
e2da7066ea5a0742bac601d087d14278
-
SHA1
81fe51aeb3f952c456ca1f387ca29eeee47d5442
-
SHA256
9b02f081664596e22b8a28f8a6ea361f48d71f0ab15a448432fe4157cd351f40
-
SHA512
b52c653f216c7949f4b72b90e312839f11206fdbf0bd9dabb3d9151bbb8cca131e70725e29509b37d5925530d880e5f8d47e001d52dc36264e9af6affd06e05c
-
SSDEEP
1536:Ly1XY73AYrsk3Ly/h7RQItkO6451kyzIU8R5Jnm:VA4h7gh7RQItlyp5Jm
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 9 IoCs
-
Executes dropped EXE 20 IoCs
-
Loads dropped DLL 21 IoCs
-
Drops file in System32 directory 22 IoCs
-
Suspicious use of SetThreadContext 11 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 444 "C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 444 C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Windows\SysWOW64\svcchosst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 504 C:\Windows\SysWOW64\svcchosst.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Windows\SysWOW64\svcchosst.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 504 C:\Windows\SysWOW64\svcchosst.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Windows\SysWOW64\svcchosst.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 504 C:\Windows\SysWOW64\svcchosst.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Windows\SysWOW64\svcchosst.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 504 C:\Windows\SysWOW64\svcchosst.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Windows\SysWOW64\svcchosst.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 504 C:\Windows\SysWOW64\svcchosst.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Windows\SysWOW64\svcchosst.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 504 C:\Windows\SysWOW64\svcchosst.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Windows\SysWOW64\svcchosst.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 504 C:\Windows\SysWOW64\svcchosst.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 516 "C:\Windows\SysWOW64\svcchosst.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 516 C:\Windows\SysWOW64\svcchosst.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 520 "C:\Windows\SysWOW64\svcchosst.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 520 C:\Windows\SysWOW64\svcchosst.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5e2da7066ea5a0742bac601d087d14278
SHA181fe51aeb3f952c456ca1f387ca29eeee47d5442
SHA2569b02f081664596e22b8a28f8a6ea361f48d71f0ab15a448432fe4157cd351f40
SHA512b52c653f216c7949f4b72b90e312839f11206fdbf0bd9dabb3d9151bbb8cca131e70725e29509b37d5925530d880e5f8d47e001d52dc36264e9af6affd06e05c
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
312KB
-
Filesize
4KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
312KB
-
Filesize
276KB
-
Filesize
276KB
-
Filesize
276KB