Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 18:01
Behavioral task
behavioral1
Sample
f0592bed49a86e2ffeda5c754fc9b99b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f0592bed49a86e2ffeda5c754fc9b99b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f0592bed49a86e2ffeda5c754fc9b99b_JaffaCakes118.exe
-
Size
959KB
-
MD5
f0592bed49a86e2ffeda5c754fc9b99b
-
SHA1
41009fc985883c872192c4a280c957fc314d4a5e
-
SHA256
01b9b754e1c0094d2d9e3361ec13e7ad2e627e922d6e13d3ebf0b109e6729cdd
-
SHA512
9e124963de642d7aaf904e37d5a4096785e1c7a930d7a920cac1a18f5353a232ae79f8607a1b41be2f814fc64a1383a24beb7103f3f0353d38f7196127d5f7e9
-
SSDEEP
12288:SryEOFaG07Vubv+nR70mW0F37omjiZnS9Qjrl+bKeD8lsQ/FbVVPJIOWFeJu46/0:w5r7XBWoU+iv+bf0jZSOKqu4pBObP8
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/files/0x0008000000018d68-7.dat modiloader_stage2 behavioral1/memory/1752-19-0x0000000013140000-0x0000000013171000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 1752 server.exe 2712 netservice.exe -
Loads dropped DLL 2 IoCs
pid Process 2348 f0592bed49a86e2ffeda5c754fc9b99b_JaffaCakes118.exe 2348 f0592bed49a86e2ffeda5c754fc9b99b_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2712-21-0x0000000010410000-0x000000001046F000-memory.dmp upx -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f0592bed49a86e2ffeda5c754fc9b99b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netservice.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2712 netservice.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1956 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2348 f0592bed49a86e2ffeda5c754fc9b99b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 1752 2348 f0592bed49a86e2ffeda5c754fc9b99b_JaffaCakes118.exe 31 PID 2348 wrote to memory of 1752 2348 f0592bed49a86e2ffeda5c754fc9b99b_JaffaCakes118.exe 31 PID 2348 wrote to memory of 1752 2348 f0592bed49a86e2ffeda5c754fc9b99b_JaffaCakes118.exe 31 PID 2348 wrote to memory of 1752 2348 f0592bed49a86e2ffeda5c754fc9b99b_JaffaCakes118.exe 31 PID 1752 wrote to memory of 2836 1752 server.exe 33 PID 1752 wrote to memory of 2836 1752 server.exe 33 PID 1752 wrote to memory of 2836 1752 server.exe 33 PID 1752 wrote to memory of 2836 1752 server.exe 33 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35 PID 2712 wrote to memory of 2824 2712 netservice.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0592bed49a86e2ffeda5c754fc9b99b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f0592bed49a86e2ffeda5c754fc9b99b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2836
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1956
-
C:\Users\Admin\Favorites\netservice.exeC:\Users\Admin\Favorites\netservice.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe2⤵
- System Location Discovery: System Language Discovery
PID:2824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD56800c36a62f302b22a21c6ba59b01258
SHA1d505a2fc16d4dbf87fcff92284f158d5403b88c3
SHA256a5558ecf6cc6175c7ee904ecb11e6403dc7428ff53364a184d9e723259dd08c2
SHA51213fc3853562761c31a0f04820f45c67cee00405287882901b9740e4bc147accf27c24681fee93a1b23f1ab5209b16973ede62b81d795e70d79d59d48379b688b
-
Filesize
175KB
MD57014c7b54007023daab3e74e595cffd1
SHA1028bc6ccd2e6615e5d5de4667a5118cf26a1d8f6
SHA2566d77d1cca39eea5c63d8ffb134dbde6307d2d630c69134525da64871bb1da608
SHA512e222d16a2ae07ae60303cf844f03c7e1cdfa6973ce391196a5b05ff9d79e568bb9534becd41133d206e257934aa98d571aef1fc05f6c63c591f24b108c435da0