Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ec5c6c5cce...18.exe

windows7-x64

10

ec5c6c5cce...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2024, 23:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe

  • Size

    142KB

  • MD5

    ec5c6c5ccec12857f59f7b19272538c5

  • SHA1

    acd5d283a0687538a5283c11ab65020fb3fdfa44

  • SHA256

    00b80a84f335d090efa2b5712d1a07d25a027c0c4790a767aec0f413c249e17d

  • SHA512

    cf74a8eadba3e5e9f2b7d04abb362e57013f88e63aa817217aa9112fa96c53062457d577ff79c0b65f4be57c6790e03af30e2f6aaea047b4196338ab11260c10

  • SSDEEP

    3072:na7yXlM20GJSJ5EbQDjmT/GrHEi2ooRHtvQfOt8nT057Ysj5N+EfAj:nuyJ0yS35jk/CXvQ5d8nw57YsVfAj

Score
10/10
modiloaderdiscoveryevasiontrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 14 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe"
    1⤵
    • UAC bypass
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • System policy modification
    PID:2892

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    233.143.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    233.143.123.92.in-addr.arpa
    IN PTR
    Response
    233.143.123.92.in-addr.arpa
    IN PTR
    a92-123-143-233deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    45.56.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    45.56.20.217.in-addr.arpa
    IN PTR
    Response
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 127.0.0.1:15963
    ec5c6c5ccec12857f59f7b19272538c5_JaffaCakes118.exe
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    233.143.123.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    233.143.123.92.in-addr.arpa

  • 8.8.8.8:53
    23.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    146 B
     144 B
     2
    1

    DNS Request

    95.221.229.192.in-addr.arpa

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    45.56.20.217.in-addr.arpa
    dns
    71 B
     131 B
     1
    1

    DNS Request

    45.56.20.217.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cmsetac.dll
    Filesize

    33KB

    MD5

    902dfdf956f39a72b0d4e2ec6a945f3e

    SHA1

    2fa96c39308cb02a898fba29a4349edae9486b65

    SHA256

    f3bed15a66f6aeeb0456298f7ce8cad83c543e6cdc4e2746a68c4dbd856996b2

    SHA512

    3b8b26680f7632ed9dc47a73ad47c3cdbccce8305b4989e5b1b60ccfdc0ab15885fb8940d77e594fbd9d1f2dd2d36940afdf0198f75002e4ad7426e813dec54d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ntdtcstp.dll
    Filesize

    7KB

    MD5

    67587e25a971a141628d7f07bd40ffa0

    SHA1

    76fcd014539a3bb247cc0b761225f68bd6055f6b

    SHA256

    e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

    SHA512

    6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

    Download Submit

  • memory/2892-25-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2892-12-0x00000000046C0000-0x00000000046CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2892-15-0x0000000004570000-0x0000000004571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2892-16-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2892-17-0x0000000004560000-0x0000000004568000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2892-18-0x00000000046C0000-0x00000000046CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2892-19-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2892-22-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2892-0-0x00000000005E0000-0x00000000005E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2892-28-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2892-31-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2892-34-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2892-37-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2892-40-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2892-43-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2892-46-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2892-49-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2892-52-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2892-55-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.