Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 10:53
Static task
static1
Behavioral task
behavioral1
Sample
efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe
-
Size
769KB
-
MD5
efa30cffbcb6f1ef76a52df64f1fcde7
-
SHA1
fb6bb500fecee67baf2494faac26151f0d92d453
-
SHA256
e06c719999058b6eb01a0fee87a3baa7a543521e98390f00bbd1aa8129a7d522
-
SHA512
2c4ac69e29384edb14a3620f3084ba8f97b28cb8fc1f7395a67361557ec38d50655ab10fa0d7a927fe3df280a271343a2dc0b8d56639645b71a71a443a5a26b6
-
SSDEEP
24576:5MrldBZ+ycjx6r4tlXTFKfpXvZRRdmPo2S3:5MrlfZroLeXvmPoB
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msnsg.exe -
ModiLoader Second Stage 17 IoCs
resource yara_rule behavioral1/memory/2568-41-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/2948-53-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-62-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-63-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-66-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-69-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-72-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-75-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-79-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-82-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-85-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-88-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-91-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-94-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-97-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-100-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 behavioral1/memory/1960-103-0x0000000000400000-0x0000000000502000-memory.dmp modiloader_stage2 -
Executes dropped EXE 4 IoCs
pid Process 2692 Skype Flooder v3.0.exe 2948 Skype.exe 2568 Skype.exe 1960 msnsg.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine msnsg.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine Skype.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine Skype.exe -
Loads dropped DLL 16 IoCs
pid Process 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 2692 Skype Flooder v3.0.exe 2692 Skype Flooder v3.0.exe 2692 Skype Flooder v3.0.exe 2948 Skype.exe 2948 Skype.exe 2948 Skype.exe 2692 Skype Flooder v3.0.exe 2692 Skype Flooder v3.0.exe 2568 Skype.exe 2568 Skype.exe 2568 Skype.exe 2948 Skype.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\msnsg = "C:\\Windows\\msnsg.exe" msnsg.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Skype.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msnsg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msnsg.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\ntdtcstp.dll msnsg.exe File created C:\Windows\cmsetac.dll msnsg.exe File created C:\Windows\msnsg.exe Skype.exe File opened for modification C:\Windows\msnsg.exe Skype.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Skype Flooder v3.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Skype.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Skype.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnsg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2948 Skype.exe Token: SeBackupPrivilege 2212 vssvc.exe Token: SeRestorePrivilege 2212 vssvc.exe Token: SeAuditPrivilege 2212 vssvc.exe Token: SeDebugPrivilege 1960 msnsg.exe Token: SeDebugPrivilege 1960 msnsg.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2692 Skype Flooder v3.0.exe 1960 msnsg.exe 1960 msnsg.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2692 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2692 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2692 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2692 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2692 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2692 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2692 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2948 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 31 PID 2440 wrote to memory of 2948 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 31 PID 2440 wrote to memory of 2948 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 31 PID 2440 wrote to memory of 2948 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 31 PID 2440 wrote to memory of 2948 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 31 PID 2440 wrote to memory of 2948 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 31 PID 2440 wrote to memory of 2948 2440 efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe 31 PID 2692 wrote to memory of 2568 2692 Skype Flooder v3.0.exe 32 PID 2692 wrote to memory of 2568 2692 Skype Flooder v3.0.exe 32 PID 2692 wrote to memory of 2568 2692 Skype Flooder v3.0.exe 32 PID 2692 wrote to memory of 2568 2692 Skype Flooder v3.0.exe 32 PID 2692 wrote to memory of 2568 2692 Skype Flooder v3.0.exe 32 PID 2692 wrote to memory of 2568 2692 Skype Flooder v3.0.exe 32 PID 2692 wrote to memory of 2568 2692 Skype Flooder v3.0.exe 32 PID 2948 wrote to memory of 1960 2948 Skype.exe 36 PID 2948 wrote to memory of 1960 2948 Skype.exe 36 PID 2948 wrote to memory of 1960 2948 Skype.exe 36 PID 2948 wrote to memory of 1960 2948 Skype.exe 36 PID 2948 wrote to memory of 1960 2948 Skype.exe 36 PID 2948 wrote to memory of 1960 2948 Skype.exe 36 PID 2948 wrote to memory of 1960 2948 Skype.exe 36 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msnsg.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\efa30cffbcb6f1ef76a52df64f1fcde7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\Skype Flooder v3.0.exe"C:\Users\Admin\AppData\Local\Temp\Skype Flooder v3.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\Skype.exeC:\Users\Admin\AppData\Local\Temp\Skype Flooder v3.0.exe3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2568
-
-
-
C:\Users\Admin\AppData\Local\Temp\Skype.exe"C:\Users\Admin\AppData\Local\Temp\Skype.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\msnsg.exe"C:\Windows\msnsg.exe" \melt "C:\Users\Admin\AppData\Local\Temp\Skype.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1960
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD5866163b557e519b493cb5bd08c76c306
SHA1752495387fe55c2ac583d7b7c914f4bd2d566b45
SHA256a200e105e3029925089f217ad60ffab789b3f0b446d3014e59dee29f5c6a6dae
SHA5129feac03b8a398ef004b49760f7651a0a6443bc1ec1c7467fd8a2df4f8fc077d6fc464d981958942f8f0e308fff840d1230092c5b5f50b78eb22389d1cc4ceed7
-
Filesize
854KB
MD5b7f31116ac382b7664e3b9b987d8a991
SHA1c2daf6b78a621374e00d7750137a6454ecd8e5f3
SHA256e9c524d0ef86384d91ebf81fc0107a649d8d4f747734206ff19337cae38fddad
SHA512d02c17811e2357a2a2dc212f0f9b96f7af1aa98d0bdacf79bd3c946ff2bdc3a41af5915530910f773942b06b923759d7c53d2e3880924ab5bf0ccc2e2e122150