Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 15:56
Static task
static1
Behavioral task
behavioral1
Sample
e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe
-
Size
63KB
-
MD5
e2da7066ea5a0742bac601d087d14278
-
SHA1
81fe51aeb3f952c456ca1f387ca29eeee47d5442
-
SHA256
9b02f081664596e22b8a28f8a6ea361f48d71f0ab15a448432fe4157cd351f40
-
SHA512
b52c653f216c7949f4b72b90e312839f11206fdbf0bd9dabb3d9151bbb8cca131e70725e29509b37d5925530d880e5f8d47e001d52dc36264e9af6affd06e05c
-
SSDEEP
1536:Ly1XY73AYrsk3Ly/h7RQItkO6451kyzIU8R5Jnm:VA4h7gh7RQItlyp5Jm
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 9 IoCs
resource yara_rule behavioral1/memory/2024-16-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral1/memory/2944-48-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral1/memory/1920-72-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral1/memory/1988-92-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral1/memory/2848-111-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral1/memory/3052-132-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral1/memory/1292-173-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral1/memory/2304-211-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral1/memory/2568-231-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 -
Executes dropped EXE 20 IoCs
pid Process 2944 svcchosst.exe 2412 svcchosst.exe 1920 svcchosst.exe 2824 svcchosst.exe 1988 svcchosst.exe 1792 svcchosst.exe 2848 svcchosst.exe 1612 svcchosst.exe 3052 svcchosst.exe 848 svcchosst.exe 1528 svcchosst.exe 2496 svcchosst.exe 1292 svcchosst.exe 784 svcchosst.exe 1628 svcchosst.exe 2024 svcchosst.exe 2304 svcchosst.exe 2744 svcchosst.exe 2568 svcchosst.exe 1180 svcchosst.exe -
Loads dropped DLL 21 IoCs
pid Process 2308 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 2308 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 2944 svcchosst.exe 2412 svcchosst.exe 2412 svcchosst.exe 2824 svcchosst.exe 2824 svcchosst.exe 1792 svcchosst.exe 1792 svcchosst.exe 1612 svcchosst.exe 1612 svcchosst.exe 848 svcchosst.exe 848 svcchosst.exe 2496 svcchosst.exe 2496 svcchosst.exe 784 svcchosst.exe 784 svcchosst.exe 2024 svcchosst.exe 2024 svcchosst.exe 2744 svcchosst.exe 2744 svcchosst.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\svcchosst.exe e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 2024 set thread context of 2308 2024 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 31 PID 2944 set thread context of 2412 2944 svcchosst.exe 33 PID 1920 set thread context of 2824 1920 svcchosst.exe 35 PID 1988 set thread context of 1792 1988 svcchosst.exe 37 PID 2848 set thread context of 1612 2848 svcchosst.exe 39 PID 3052 set thread context of 848 3052 svcchosst.exe 41 PID 1528 set thread context of 2496 1528 svcchosst.exe 43 PID 1292 set thread context of 784 1292 svcchosst.exe 45 PID 1628 set thread context of 2024 1628 svcchosst.exe 48 PID 2304 set thread context of 2744 2304 svcchosst.exe 50 PID 2568 set thread context of 1180 2568 svcchosst.exe 52 -
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2308 2024 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 31 PID 2024 wrote to memory of 2308 2024 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 31 PID 2024 wrote to memory of 2308 2024 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 31 PID 2024 wrote to memory of 2308 2024 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 31 PID 2024 wrote to memory of 2308 2024 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 31 PID 2024 wrote to memory of 2308 2024 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 31 PID 2024 wrote to memory of 2308 2024 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 31 PID 2024 wrote to memory of 2308 2024 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 31 PID 2024 wrote to memory of 2308 2024 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 31 PID 2308 wrote to memory of 2944 2308 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 32 PID 2308 wrote to memory of 2944 2308 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 32 PID 2308 wrote to memory of 2944 2308 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 32 PID 2308 wrote to memory of 2944 2308 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 32 PID 2944 wrote to memory of 2412 2944 svcchosst.exe 33 PID 2944 wrote to memory of 2412 2944 svcchosst.exe 33 PID 2944 wrote to memory of 2412 2944 svcchosst.exe 33 PID 2944 wrote to memory of 2412 2944 svcchosst.exe 33 PID 2944 wrote to memory of 2412 2944 svcchosst.exe 33 PID 2944 wrote to memory of 2412 2944 svcchosst.exe 33 PID 2944 wrote to memory of 2412 2944 svcchosst.exe 33 PID 2944 wrote to memory of 2412 2944 svcchosst.exe 33 PID 2944 wrote to memory of 2412 2944 svcchosst.exe 33 PID 2412 wrote to memory of 1920 2412 svcchosst.exe 34 PID 2412 wrote to memory of 1920 2412 svcchosst.exe 34 PID 2412 wrote to memory of 1920 2412 svcchosst.exe 34 PID 2412 wrote to memory of 1920 2412 svcchosst.exe 34 PID 1920 wrote to memory of 2824 1920 svcchosst.exe 35 PID 1920 wrote to memory of 2824 1920 svcchosst.exe 35 PID 1920 wrote to memory of 2824 1920 svcchosst.exe 35 PID 1920 wrote to memory of 2824 1920 svcchosst.exe 35 PID 1920 wrote to memory of 2824 1920 svcchosst.exe 35 PID 1920 wrote to memory of 2824 1920 svcchosst.exe 35 PID 1920 wrote to memory of 2824 1920 svcchosst.exe 35 PID 1920 wrote to memory of 2824 1920 svcchosst.exe 35 PID 1920 wrote to memory of 2824 1920 svcchosst.exe 35 PID 2824 wrote to memory of 1988 2824 svcchosst.exe 36 PID 2824 wrote to memory of 1988 2824 svcchosst.exe 36 PID 2824 wrote to memory of 1988 2824 svcchosst.exe 36 PID 2824 wrote to memory of 1988 2824 svcchosst.exe 36 PID 1988 wrote to memory of 1792 1988 svcchosst.exe 37 PID 1988 wrote to memory of 1792 1988 svcchosst.exe 37 PID 1988 wrote to memory of 1792 1988 svcchosst.exe 37 PID 1988 wrote to memory of 1792 1988 svcchosst.exe 37 PID 1988 wrote to memory of 1792 1988 svcchosst.exe 37 PID 1988 wrote to memory of 1792 1988 svcchosst.exe 37 PID 1988 wrote to memory of 1792 1988 svcchosst.exe 37 PID 1988 wrote to memory of 1792 1988 svcchosst.exe 37 PID 1988 wrote to memory of 1792 1988 svcchosst.exe 37 PID 1792 wrote to memory of 2848 1792 svcchosst.exe 38 PID 1792 wrote to memory of 2848 1792 svcchosst.exe 38 PID 1792 wrote to memory of 2848 1792 svcchosst.exe 38 PID 1792 wrote to memory of 2848 1792 svcchosst.exe 38 PID 2848 wrote to memory of 1612 2848 svcchosst.exe 39 PID 2848 wrote to memory of 1612 2848 svcchosst.exe 39 PID 2848 wrote to memory of 1612 2848 svcchosst.exe 39 PID 2848 wrote to memory of 1612 2848 svcchosst.exe 39 PID 2848 wrote to memory of 1612 2848 svcchosst.exe 39 PID 2848 wrote to memory of 1612 2848 svcchosst.exe 39 PID 2848 wrote to memory of 1612 2848 svcchosst.exe 39 PID 2848 wrote to memory of 1612 2848 svcchosst.exe 39 PID 2848 wrote to memory of 1612 2848 svcchosst.exe 39 PID 1612 wrote to memory of 3052 1612 svcchosst.exe 40 PID 1612 wrote to memory of 3052 1612 svcchosst.exe 40 PID 1612 wrote to memory of 3052 1612 svcchosst.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 444 "C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 444 C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Windows\SysWOW64\svcchosst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 504 C:\Windows\SysWOW64\svcchosst.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Windows\SysWOW64\svcchosst.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 504 C:\Windows\SysWOW64\svcchosst.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Windows\SysWOW64\svcchosst.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 504 C:\Windows\SysWOW64\svcchosst.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Windows\SysWOW64\svcchosst.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 504 C:\Windows\SysWOW64\svcchosst.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:848 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Windows\SysWOW64\svcchosst.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 504 C:\Windows\SysWOW64\svcchosst.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Windows\SysWOW64\svcchosst.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 504 C:\Windows\SysWOW64\svcchosst.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:784 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 504 "C:\Windows\SysWOW64\svcchosst.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 504 C:\Windows\SysWOW64\svcchosst.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 516 "C:\Windows\SysWOW64\svcchosst.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 516 C:\Windows\SysWOW64\svcchosst.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 520 "C:\Windows\SysWOW64\svcchosst.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 520 C:\Windows\SysWOW64\svcchosst.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5e2da7066ea5a0742bac601d087d14278
SHA181fe51aeb3f952c456ca1f387ca29eeee47d5442
SHA2569b02f081664596e22b8a28f8a6ea361f48d71f0ab15a448432fe4157cd351f40
SHA512b52c653f216c7949f4b72b90e312839f11206fdbf0bd9dabb3d9151bbb8cca131e70725e29509b37d5925530d880e5f8d47e001d52dc36264e9af6affd06e05c