Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 06:51
Static task
static1
Behavioral task
behavioral1
Sample
ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe
-
Size
188KB
-
MD5
ed0d6dd06661db39631a957f9ebd3c4c
-
SHA1
e847c151d71e169cbf9f83c93a18bfe5f9c3a6d5
-
SHA256
647840b0c745bb5d9ef481038b6f45f2eda25f8483bbfea733fe7adac03c7455
-
SHA512
c6e1740a492d6ebcd99756504e4e452af8711f8aba2d080bcac2ee2e808540624538222eeff6e89086222df57e5f819b90501e15aceee3a898f505d93aa20d24
-
SSDEEP
3072:pmwFa2NYyJ30qzzhKL6AO00K563RXBXBbourVRPDyrt:phbDzs595chJBbourVRP
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/2600-25-0x0000000000400000-0x0000000000432000-memory.dmp modiloader_stage2 behavioral1/memory/2600-50-0x0000000000400000-0x0000000000432000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 2600 photo01.exe 2316 server.exe -
Loads dropped DLL 6 IoCs
pid Process 1448 ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe 1448 ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe 1448 ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe 1448 ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe 2600 photo01.exe 2600 photo01.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language photo01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2316 server.exe 2316 server.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2124 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1448 ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2600 1448 ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe 30 PID 1448 wrote to memory of 2600 1448 ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe 30 PID 1448 wrote to memory of 2600 1448 ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe 30 PID 1448 wrote to memory of 2600 1448 ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe 30 PID 2600 wrote to memory of 2316 2600 photo01.exe 31 PID 2600 wrote to memory of 2316 2600 photo01.exe 31 PID 2600 wrote to memory of 2316 2600 photo01.exe 31 PID 2600 wrote to memory of 2316 2600 photo01.exe 31 PID 2316 wrote to memory of 1236 2316 server.exe 21 PID 2316 wrote to memory of 1236 2316 server.exe 21 PID 2316 wrote to memory of 1236 2316 server.exe 21 PID 2316 wrote to memory of 1236 2316 server.exe 21 PID 2316 wrote to memory of 1236 2316 server.exe 21 PID 2316 wrote to memory of 1236 2316 server.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed0d6dd06661db39631a957f9ebd3c4c_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\photo01.exe"C:\Users\Admin\AppData\Local\Temp\photo01.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5095dc0190f34b162c1027b2108beae8a
SHA1330fd7aff62e617d7db78aa3411141eeb75e6082
SHA2565ddd498744efe01380e923f3a29065290c123a129b68c8de52d4d6a6b30014da
SHA51221da19e0598b84e12386298ff3510644405df82ed804689750c9738bca80c7374ab61c3dcbb061b66b4a6aa4093756e9487195d964257d14280008a814028a72
-
Filesize
163KB
MD55042e637a61f374960f8d94dd121c1cd
SHA1c3ad97167e820d5b6d7815fe01f995ba37b1ce6f
SHA256b534d46182ca8c02df34cc1b96fac3c500c7d4c0fab1f4b1fb81cafee32e9437
SHA5126e9c9afbcd8233e2fd8290e3f8c655ffe6dcbf0a1d88d33d2b94feab06a21ddc3551274d4517796390a052a1a4dafefca056ec1221824dc13721122b2c1c6ef8
-
Filesize
50KB
MD5790ca7727b189e9728b3b1eeb54a4fc7
SHA1e048b9b9717bcc701b40e254783b33924ab7b413
SHA256fc0641364c42caf5b4b92c7882242f9247d80b37692a4b39d3020f3816b10714
SHA51269e4feabbd28b645a2a6333f45555d4ed17f7c71dc2607c727f96348c586c68180925a6c34c0425e68788cfcd9bdcbb1de1cc9ce3d3546d639b09e62de0836d7