Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 06:43
Static task
static1
Behavioral task
behavioral1
Sample
f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe
-
Size
846KB
-
MD5
f56bc2805b3718860fcb83824340a454
-
SHA1
22dd89a2bb6c712a1fab8df6ccef6a7b0e83792a
-
SHA256
499074fbac5a05f63603e572cf4ad3db7f9935607c03e49cb3649a7dbe1b9974
-
SHA512
59b9b2ff5d69b40665d3269dca642dc029e0b2fefde43a27e1a7aa2b3906cb61ebbc50a020b4ba0c76e67adb8e18bc56236a3c5f7a3f1861a0dcd4a82082675b
-
SSDEEP
12288:/uM8rDkP6zYf6AkQ/TkIs8KCDdd5OCvuEpwuHOYNcmi0vEBhJJesgkl+5eu0:/0rAfF5kVsvOMJwINcMvcri0
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral1/memory/2716-14-0x0000000000401000-0x000000000043F000-memory.dmp modiloader_stage2 behavioral1/memory/2716-16-0x0000000000400000-0x0000000000526000-memory.dmp modiloader_stage2 behavioral1/memory/2716-18-0x0000000000401000-0x000000000043F000-memory.dmp modiloader_stage2 behavioral1/memory/2592-28-0x0000000000400000-0x0000000000526000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 2716 explorer.exe 2592 explorer.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine explorer.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine explorer.exe -
Loads dropped DLL 8 IoCs
pid Process 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 2716 explorer.exe 2716 explorer.exe 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 2592 explorer.exe 2592 explorer.exe -
resource yara_rule behavioral1/files/0x0009000000016d15-2.dat themida behavioral1/memory/2716-11-0x0000000000400000-0x0000000000526000-memory.dmp themida behavioral1/memory/2280-8-0x00000000030E0000-0x0000000003206000-memory.dmp themida behavioral1/memory/2716-16-0x0000000000400000-0x0000000000526000-memory.dmp themida behavioral1/memory/2592-24-0x0000000000400000-0x0000000000526000-memory.dmp themida behavioral1/memory/2592-28-0x0000000000400000-0x0000000000526000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2716 explorer.exe 2592 explorer.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\explorer.exe explorer.exe File opened for modification C:\Windows\explorer.exe explorer.exe File created C:\Windows\explorer.exe explorer.exe File opened for modification C:\Windows\explorer.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2716 explorer.exe 2716 explorer.exe 2592 explorer.exe 2592 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2716 explorer.exe Token: SeDebugPrivilege 2592 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2716 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 30 PID 2280 wrote to memory of 2716 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 30 PID 2280 wrote to memory of 2716 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 30 PID 2280 wrote to memory of 2716 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 30 PID 2280 wrote to memory of 2716 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 30 PID 2280 wrote to memory of 2716 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 30 PID 2280 wrote to memory of 2716 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 30 PID 2716 wrote to memory of 2732 2716 explorer.exe 31 PID 2716 wrote to memory of 2732 2716 explorer.exe 31 PID 2716 wrote to memory of 2732 2716 explorer.exe 31 PID 2716 wrote to memory of 2732 2716 explorer.exe 31 PID 2716 wrote to memory of 2732 2716 explorer.exe 31 PID 2716 wrote to memory of 2732 2716 explorer.exe 31 PID 2716 wrote to memory of 2732 2716 explorer.exe 31 PID 2280 wrote to memory of 2592 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 32 PID 2280 wrote to memory of 2592 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 32 PID 2280 wrote to memory of 2592 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 32 PID 2280 wrote to memory of 2592 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 32 PID 2280 wrote to memory of 2592 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 32 PID 2280 wrote to memory of 2592 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 32 PID 2280 wrote to memory of 2592 2280 f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe 32 PID 2592 wrote to memory of 1564 2592 explorer.exe 34 PID 2592 wrote to memory of 1564 2592 explorer.exe 34 PID 2592 wrote to memory of 1564 2592 explorer.exe 34 PID 2592 wrote to memory of 1564 2592 explorer.exe 34 PID 2592 wrote to memory of 1564 2592 explorer.exe 34 PID 2592 wrote to memory of 1564 2592 explorer.exe 34 PID 2592 wrote to memory of 1564 2592 explorer.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f56bc2805b3718860fcb83824340a454_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.exe2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:2732
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\explorer.exe2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:1564
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5145ba7ae62a15950c46f3cd99e27c4d1
SHA1ee40cea2e907bfb6ecc979bdd62654f8dfc35a78
SHA2561e2b9161b607fe17b8cd9c64fbcae70c25ae174f63f0419b04a26dbbd0a2b6a8
SHA512586bea13a143fe33f83dbaa6573f6376e1c62e8d68dbad9615a30293a365381f1a34ecab109a484a9d46715d966a2aa8c61397afa51fe51084f8e892dd9e8aff