Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/09/2024, 12:30
Static task
static1
Behavioral task
behavioral1
Sample
f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe
-
Size
159KB
-
MD5
f86081b76d29cce4dffb7ce93780dd8a
-
SHA1
143de15fcae2f81c55b73bec1a81bb857c4a7f98
-
SHA256
d70df994e8e3c65822d93e49c89f1055754bac0302c47164ef04af1c89f39dc2
-
SHA512
d8e640d4d4f654207b4b016a9b8d44a98a22597b5f95cbfb6dd3b07ce31f8315230140d616957fff1bcdf8318ab8012f09621103c86067397654359c534d4696
-
SSDEEP
3072:CDZVhu2wUviRJaS9mjDwLAf/avlp0sue7hD3yZO7Sw8HxfQEybPBifXp:CtVhcwsMwLgKnue712OGwExfQEyNiPp
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2688-5-0x0000000000470000-0x00000000004F0000-memory.dmp modiloader_stage2 behavioral1/memory/2688-7-0x0000000000470000-0x00000000004F0000-memory.dmp modiloader_stage2 behavioral1/memory/2688-8-0x0000000000470000-0x00000000004F0000-memory.dmp modiloader_stage2 -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\netctrl\Parameters\ServiceDll = "C:\\Windows\\system32\\sys.dll" f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2796 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 2688 svchost.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sys.dll f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe File created C:\Windows\SysWOW64\sys.dll f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 880 wrote to memory of 2796 880 f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe 31 PID 880 wrote to memory of 2796 880 f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe 31 PID 880 wrote to memory of 2796 880 f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe 31 PID 880 wrote to memory of 2796 880 f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k remoteservice1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD551c891c49b69092021f59cf4b4418641
SHA16f06b6dff48f77590ad51f87b2382ef0860c7d14
SHA2563f41d715d928c898e44a83b04d3a18ffd23ebc0b1e3ba3465aa1ae50ccc64b85
SHA5125732f7b521995005baa1e79fe2b05b6e14196da028f9c0b844f06309827c0c12fc02c7a0dcdb702458c1090c1dac558c0492f01b9a39d77d0903a42c923861a9