Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 06:24
Static task
static1
Behavioral task
behavioral1
Sample
f563f00b91d1ef4525f378fd326f3afa_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f563f00b91d1ef4525f378fd326f3afa_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f563f00b91d1ef4525f378fd326f3afa_JaffaCakes118.exe
-
Size
666KB
-
MD5
f563f00b91d1ef4525f378fd326f3afa
-
SHA1
0ec5d7ee5e4cd2ed8b878f676a9d0df59dad0868
-
SHA256
485a4b4fcb0f7f52c4f78daa2c93e3255552a576c8f25392f1b666df31332748
-
SHA512
bec36461db9cb7418a4b2ad3e3e987f1fe604ad7a517be8cbbce72698e8e71729900a8bd3989b7b965c6e772ccc596b6811cc9838d63b5d16dc770a7fe2b0214
-
SSDEEP
12288:BdRa/eAHYDS5IDrFVSSyX6axhh9Ms2CF3Z4mxxESi7hG2h98PB3m6u/iO:U/Z4oIDr3pB67TpQmXELG2ho6
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2552-67-0x0000000000400000-0x00000000004BB000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2552 a.exe -
Loads dropped DLL 2 IoCs
pid Process 2648 f563f00b91d1ef4525f378fd326f3afa_JaffaCakes118.exe 2648 f563f00b91d1ef4525f378fd326f3afa_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\FieleWay.txt a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f563f00b91d1ef4525f378fd326f3afa_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2552 2648 f563f00b91d1ef4525f378fd326f3afa_JaffaCakes118.exe 30 PID 2648 wrote to memory of 2552 2648 f563f00b91d1ef4525f378fd326f3afa_JaffaCakes118.exe 30 PID 2648 wrote to memory of 2552 2648 f563f00b91d1ef4525f378fd326f3afa_JaffaCakes118.exe 30 PID 2648 wrote to memory of 2552 2648 f563f00b91d1ef4525f378fd326f3afa_JaffaCakes118.exe 30 PID 2552 wrote to memory of 2968 2552 a.exe 31 PID 2552 wrote to memory of 2968 2552 a.exe 31 PID 2552 wrote to memory of 2968 2552 a.exe 31 PID 2552 wrote to memory of 2968 2552 a.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f563f00b91d1ef4525f378fd326f3afa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f563f00b91d1ef4525f378fd326f3afa_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\a.exe"C:\Users\Admin\AppData\Local\Temp\a.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵PID:2968
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352KB
MD509d21e741f4beb223097d7dddb7d9f6c
SHA1b24811ed9ac617913d5c2fe8e802902fc367b1b4
SHA256ed79c1ef14dd5da1c39d3534e9df608327548fee0935ac1885380a3c5916af18
SHA5123aea6b6eeb0aaa6f82b233ce8e0e36cf9db4ad44914133a69f22a1f2534315cb6c6c09311410937c4f169f935ac5f033d374e3f1a6fbce0e1e678ec865279acd