Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/09/2024, 15:56
Static task
static1
Behavioral task
behavioral1
Sample
e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe
-
Size
63KB
-
MD5
e2da7066ea5a0742bac601d087d14278
-
SHA1
81fe51aeb3f952c456ca1f387ca29eeee47d5442
-
SHA256
9b02f081664596e22b8a28f8a6ea361f48d71f0ab15a448432fe4157cd351f40
-
SHA512
b52c653f216c7949f4b72b90e312839f11206fdbf0bd9dabb3d9151bbb8cca131e70725e29509b37d5925530d880e5f8d47e001d52dc36264e9af6affd06e05c
-
SSDEEP
1536:Ly1XY73AYrsk3Ly/h7RQItkO6451kyzIU8R5Jnm:VA4h7gh7RQItlyp5Jm
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 10 IoCs
resource yara_rule behavioral2/memory/4644-6-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral2/memory/3664-20-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral2/memory/3004-32-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral2/memory/5072-53-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral2/memory/4344-67-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral2/memory/2336-79-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral2/memory/4828-91-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral2/memory/1544-103-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral2/memory/4948-115-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 behavioral2/memory/3004-127-0x0000000000400000-0x0000000000445000-memory.dmp modiloader_stage2 -
Executes dropped EXE 20 IoCs
pid Process 3664 svcchosst.exe 4664 svcchosst.exe 3004 svcchosst.exe 4592 svcchosst.exe 4608 svcchosst.exe 1776 svcchosst.exe 5072 svcchosst.exe 1852 svcchosst.exe 4344 svcchosst.exe 2896 svcchosst.exe 2336 svcchosst.exe 3908 svcchosst.exe 4828 svcchosst.exe 3664 svcchosst.exe 1544 svcchosst.exe 5048 svcchosst.exe 4948 svcchosst.exe 764 svcchosst.exe 3004 svcchosst.exe 4448 svcchosst.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\svcchosst.exe e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File created C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe File opened for modification C:\Windows\SysWOW64\svcchosst.exe svcchosst.exe -
Suspicious use of SetThreadContext 11 IoCs
description pid Process procid_target PID 4644 set thread context of 4888 4644 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 82 PID 3664 set thread context of 4664 3664 svcchosst.exe 84 PID 3004 set thread context of 4592 3004 svcchosst.exe 93 PID 4608 set thread context of 1776 4608 svcchosst.exe 96 PID 5072 set thread context of 1852 5072 svcchosst.exe 99 PID 4344 set thread context of 2896 4344 svcchosst.exe 101 PID 2336 set thread context of 3908 2336 svcchosst.exe 103 PID 4828 set thread context of 3664 4828 svcchosst.exe 105 PID 1544 set thread context of 5048 1544 svcchosst.exe 107 PID 4948 set thread context of 764 4948 svcchosst.exe 109 PID 3004 set thread context of 4448 3004 svcchosst.exe 111 -
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcchosst.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4644 wrote to memory of 4888 4644 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 82 PID 4644 wrote to memory of 4888 4644 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 82 PID 4644 wrote to memory of 4888 4644 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 82 PID 4644 wrote to memory of 4888 4644 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 82 PID 4644 wrote to memory of 4888 4644 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 82 PID 4644 wrote to memory of 4888 4644 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 82 PID 4644 wrote to memory of 4888 4644 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 82 PID 4644 wrote to memory of 4888 4644 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 82 PID 4888 wrote to memory of 3664 4888 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 83 PID 4888 wrote to memory of 3664 4888 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 83 PID 4888 wrote to memory of 3664 4888 e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe 83 PID 3664 wrote to memory of 4664 3664 svcchosst.exe 84 PID 3664 wrote to memory of 4664 3664 svcchosst.exe 84 PID 3664 wrote to memory of 4664 3664 svcchosst.exe 84 PID 3664 wrote to memory of 4664 3664 svcchosst.exe 84 PID 3664 wrote to memory of 4664 3664 svcchosst.exe 84 PID 3664 wrote to memory of 4664 3664 svcchosst.exe 84 PID 3664 wrote to memory of 4664 3664 svcchosst.exe 84 PID 3664 wrote to memory of 4664 3664 svcchosst.exe 84 PID 4664 wrote to memory of 3004 4664 svcchosst.exe 92 PID 4664 wrote to memory of 3004 4664 svcchosst.exe 92 PID 4664 wrote to memory of 3004 4664 svcchosst.exe 92 PID 3004 wrote to memory of 4592 3004 svcchosst.exe 93 PID 3004 wrote to memory of 4592 3004 svcchosst.exe 93 PID 3004 wrote to memory of 4592 3004 svcchosst.exe 93 PID 3004 wrote to memory of 4592 3004 svcchosst.exe 93 PID 3004 wrote to memory of 4592 3004 svcchosst.exe 93 PID 3004 wrote to memory of 4592 3004 svcchosst.exe 93 PID 3004 wrote to memory of 4592 3004 svcchosst.exe 93 PID 3004 wrote to memory of 4592 3004 svcchosst.exe 93 PID 4592 wrote to memory of 4608 4592 svcchosst.exe 95 PID 4592 wrote to memory of 4608 4592 svcchosst.exe 95 PID 4592 wrote to memory of 4608 4592 svcchosst.exe 95 PID 4608 wrote to memory of 1776 4608 svcchosst.exe 96 PID 4608 wrote to memory of 1776 4608 svcchosst.exe 96 PID 4608 wrote to memory of 1776 4608 svcchosst.exe 96 PID 4608 wrote to memory of 1776 4608 svcchosst.exe 96 PID 4608 wrote to memory of 1776 4608 svcchosst.exe 96 PID 4608 wrote to memory of 1776 4608 svcchosst.exe 96 PID 4608 wrote to memory of 1776 4608 svcchosst.exe 96 PID 4608 wrote to memory of 1776 4608 svcchosst.exe 96 PID 1776 wrote to memory of 5072 1776 svcchosst.exe 98 PID 1776 wrote to memory of 5072 1776 svcchosst.exe 98 PID 1776 wrote to memory of 5072 1776 svcchosst.exe 98 PID 5072 wrote to memory of 1852 5072 svcchosst.exe 99 PID 5072 wrote to memory of 1852 5072 svcchosst.exe 99 PID 5072 wrote to memory of 1852 5072 svcchosst.exe 99 PID 5072 wrote to memory of 1852 5072 svcchosst.exe 99 PID 5072 wrote to memory of 1852 5072 svcchosst.exe 99 PID 5072 wrote to memory of 1852 5072 svcchosst.exe 99 PID 5072 wrote to memory of 1852 5072 svcchosst.exe 99 PID 5072 wrote to memory of 1852 5072 svcchosst.exe 99 PID 1852 wrote to memory of 4344 1852 svcchosst.exe 100 PID 1852 wrote to memory of 4344 1852 svcchosst.exe 100 PID 1852 wrote to memory of 4344 1852 svcchosst.exe 100 PID 4344 wrote to memory of 2896 4344 svcchosst.exe 101 PID 4344 wrote to memory of 2896 4344 svcchosst.exe 101 PID 4344 wrote to memory of 2896 4344 svcchosst.exe 101 PID 4344 wrote to memory of 2896 4344 svcchosst.exe 101 PID 4344 wrote to memory of 2896 4344 svcchosst.exe 101 PID 4344 wrote to memory of 2896 4344 svcchosst.exe 101 PID 4344 wrote to memory of 2896 4344 svcchosst.exe 101 PID 4344 wrote to memory of 2896 4344 svcchosst.exe 101 PID 2896 wrote to memory of 2336 2896 svcchosst.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 1088 "C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 1088 C:\Users\Admin\AppData\Local\Temp\e2da7066ea5a0742bac601d087d14278_JaffaCakes118.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 1128 "C:\Windows\SysWOW64\svcchosst.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 1128 C:\Windows\SysWOW64\svcchosst.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 1092 "C:\Windows\SysWOW64\svcchosst.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 1092 C:\Windows\SysWOW64\svcchosst.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 1088 "C:\Windows\SysWOW64\svcchosst.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 1088 C:\Windows\SysWOW64\svcchosst.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 1092 "C:\Windows\SysWOW64\svcchosst.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 1092 C:\Windows\SysWOW64\svcchosst.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 1088 "C:\Windows\SysWOW64\svcchosst.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 1088 C:\Windows\SysWOW64\svcchosst.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3908 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 1084 "C:\Windows\SysWOW64\svcchosst.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4828 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 1084 C:\Windows\SysWOW64\svcchosst.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3664 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 1084 "C:\Windows\SysWOW64\svcchosst.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 1084 C:\Windows\SysWOW64\svcchosst.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 1084 "C:\Windows\SysWOW64\svcchosst.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 1084 C:\Windows\SysWOW64\svcchosst.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:764 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\system32\svcchosst.exe 1092 "C:\Windows\SysWOW64\svcchosst.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\svcchosst.exeC:\Windows\SysWOW64\svcchosst.exe 1092 C:\Windows\SysWOW64\svcchosst.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5e2da7066ea5a0742bac601d087d14278
SHA181fe51aeb3f952c456ca1f387ca29eeee47d5442
SHA2569b02f081664596e22b8a28f8a6ea361f48d71f0ab15a448432fe4157cd351f40
SHA512b52c653f216c7949f4b72b90e312839f11206fdbf0bd9dabb3d9151bbb8cca131e70725e29509b37d5925530d880e5f8d47e001d52dc36264e9af6affd06e05c