Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

efa30cffbc...18.exe

windows7-x64

10

efa30cffbc...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe

  • Size

    769KB

  • MD5

    efa30cffbcb6f1ef76a52df64f1fcde7

  • SHA1

    fb6bb500fecee67baf2494faac26151f0d92d453

  • SHA256

    e06c719999058b6eb01a0fee87a3baa7a543521e98390f00bbd1aa8129a7d522

  • SHA512

    2c4ac69e29384edb14a3620f3084ba8f97b28cb8fc1f7395a67361557ec38d50655ab10fa0d7a927fe3df280a271343a2dc0b8d56639645b71a71a443a5a26b6

  • SSDEEP

    24576:5MrldBZ+ycjx6r4tlXTFKfpXvZRRdmPo2S3:5MrlfZroLeXvmPoB

Score
10/10
modiloaderdiscoveryevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 17 IoCs
  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 16 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\Skype Flooder v3.0.exe
      "C:\Users\Admin\AppData\Local\Temp\Skype Flooder v3.0.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Users\Admin\AppData\Local\Temp\Skype.exe
        C:\Users\Admin\AppData\Local\Temp\Skype Flooder v3.0.exe
        3⤵
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2568
    • C:\Users\Admin\AppData\Local\Temp\Skype.exe
      "C:\Users\Admin\AppData\Local\Temp\Skype.exe"
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\msnsg.exe
        "C:\Windows\msnsg.exe" \melt "C:\Users\Admin\AppData\Local\Temp\Skype.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1960
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Skype Flooder v3.0.exe
    Filesize

    288KB

    MD5

    866163b557e519b493cb5bd08c76c306

    SHA1

    752495387fe55c2ac583d7b7c914f4bd2d566b45

    SHA256

    a200e105e3029925089f217ad60ffab789b3f0b446d3014e59dee29f5c6a6dae

    SHA512

    9feac03b8a398ef004b49760f7651a0a6443bc1ec1c7467fd8a2df4f8fc077d6fc464d981958942f8f0e308fff840d1230092c5b5f50b78eb22389d1cc4ceed7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Skype.exe
    Filesize

    854KB

    MD5

    b7f31116ac382b7664e3b9b987d8a991

    SHA1

    c2daf6b78a621374e00d7750137a6454ecd8e5f3

    SHA256

    e9c524d0ef86384d91ebf81fc0107a649d8d4f747734206ff19337cae38fddad

    SHA512

    d02c17811e2357a2a2dc212f0f9b96f7af1aa98d0bdacf79bd3c946ff2bdc3a41af5915530910f773942b06b923759d7c53d2e3880924ab5bf0ccc2e2e122150

    Download Submit

  • memory/1960-75-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-97-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-85-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-82-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-79-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-64-0x0000000000660000-0x0000000000668000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1960-103-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-55-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-66-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-100-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-59-0x0000000004630000-0x000000000463E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1960-88-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-62-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-65-0x0000000004630000-0x000000000463E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1960-94-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-91-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-63-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-69-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1960-72-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2440-17-0x0000000002950000-0x0000000002A52000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2568-41-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2568-38-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2568-39-0x00000000002F0000-0x00000000003F2000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2948-54-0x0000000005000000-0x0000000005102000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2948-28-0x00000000002E0000-0x00000000003E2000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2948-27-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2948-61-0x0000000005000000-0x0000000005102000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2948-53-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2948-46-0x0000000005000000-0x0000000005010000-memory.dmp

    Filesize

    64KB

    Download