Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/09/2024, 22:27
Behavioral task
behavioral1
Sample
f94444f5677cd30b531e2d9eed40991c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f94444f5677cd30b531e2d9eed40991c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f94444f5677cd30b531e2d9eed40991c_JaffaCakes118.exe
-
Size
401KB
-
MD5
f94444f5677cd30b531e2d9eed40991c
-
SHA1
e6ba439064ea61986b02da6f81c292365655a8ed
-
SHA256
8bcb1707d05db21b67a7281b1a6a972ba3efc51e9b34259962a30215363b6cc3
-
SHA512
3538bdebae89e4491d6e182bf3a606401b0528f0fa3bf699f71ef5cf1e0436f907552e19c4b80f2325d5a387aa259936906c5b1d2b412161f34da031fba619bc
-
SSDEEP
6144:f0fl8CZlpC8wTTT7zYIpDG3tLLQQFk8vCi98E71K0n5DFDh2E+ccEoWTruCY5MVI:M99ZlQ2QYk8TKE7U0tRhciuzTD
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral2/files/0x00080000000234d0-5.dat modiloader_stage2 behavioral2/memory/4540-9-0x0000000000400000-0x000000000046B000-memory.dmp modiloader_stage2 behavioral2/memory/2192-14-0x0000000010000000-0x000000001000C000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation f94444f5677cd30b531e2d9eed40991c_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2192 Systemloader.exe 3340 Systemloader.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2192 set thread context of 3340 2192 Systemloader.exe 83 -
resource yara_rule behavioral2/memory/3340-11-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3340-15-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3340-16-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3340-18-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3340-19-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2568 3340 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f94444f5677cd30b531e2d9eed40991c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Systemloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Systemloader.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3340 Systemloader.exe 3340 Systemloader.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4540 wrote to memory of 2192 4540 f94444f5677cd30b531e2d9eed40991c_JaffaCakes118.exe 82 PID 4540 wrote to memory of 2192 4540 f94444f5677cd30b531e2d9eed40991c_JaffaCakes118.exe 82 PID 4540 wrote to memory of 2192 4540 f94444f5677cd30b531e2d9eed40991c_JaffaCakes118.exe 82 PID 2192 wrote to memory of 3340 2192 Systemloader.exe 83 PID 2192 wrote to memory of 3340 2192 Systemloader.exe 83 PID 2192 wrote to memory of 3340 2192 Systemloader.exe 83 PID 2192 wrote to memory of 3340 2192 Systemloader.exe 83 PID 2192 wrote to memory of 3340 2192 Systemloader.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\f94444f5677cd30b531e2d9eed40991c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f94444f5677cd30b531e2d9eed40991c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Systemloader.exe"C:\Systemloader.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Systemloader.exeC:\Systemloader.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3340 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 5644⤵
- Program crash
PID:2568
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3340 -ip 33401⤵PID:4780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
358KB
MD55173f903c3faaa3cf8e3e0910afad614
SHA12d53cf8c86cd920602123966dfc40c7567cca3d6
SHA25631042a194872d66a7ce75a37de044c8931c005358c775011e75bae04623a93bc
SHA512fef769ff6ec19d2aa0c7e49fc5ef482d91a65c600a28df86a2dd96845af346b0439cc72d315b2a07da04eaa6874e683d52257672b66c20dd451e7cc8e63f7283
-
Filesize
22KB
MD51b58ac36575d9c69123aaba7aef86e8a
SHA121146726066641d70a3f800d339b428f8042f714
SHA256b632e67b6e4b6c417c3e39e1c15ca2762158a01e81a3e5e1157ec6acd379779f
SHA512503ab01530714abf076f786e397e14b0c08e31fe3e3bcb6a0e38c2c767e65cb5c5755f131c426ce290a7bfe73876a3c36225da258db2ca4a5dc583d4aca0af6e