Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    127s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/09/2024, 12:30 UTC

General

  • Target

    f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe

  • Size

    159KB

  • MD5

    f86081b76d29cce4dffb7ce93780dd8a

  • SHA1

    143de15fcae2f81c55b73bec1a81bb857c4a7f98

  • SHA256

    d70df994e8e3c65822d93e49c89f1055754bac0302c47164ef04af1c89f39dc2

  • SHA512

    d8e640d4d4f654207b4b016a9b8d44a98a22597b5f95cbfb6dd3b07ce31f8315230140d616957fff1bcdf8318ab8012f09621103c86067397654359c534d4696

  • SSDEEP

    3072:CDZVhu2wUviRJaS9mjDwLAf/avlp0sue7hD3yZO7Sw8HxfQEybPBifXp:CtVhcwsMwLgKnue712OGwExfQEyNiPp

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 3 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe"
    1⤵
    • Server Software Component: Terminal Services DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\f86081b76d29cce4dffb7ce93780dd8a_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2796
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k remoteservice
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2688

Network

  • flag-us
    DNS
    www.33139.cn
    remoteservice
    Remote address:
    8.8.8.8:53
    Request
    www.33139.cn
    IN A
    Response
No results found
  • 8.8.8.8:53
    www.33139.cn
    dns
    remoteservice
    58 B
    122 B
    1
    1

    DNS Request

    www.33139.cn

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\sys.dll

    Filesize

    128KB

    MD5

    51c891c49b69092021f59cf4b4418641

    SHA1

    6f06b6dff48f77590ad51f87b2382ef0860c7d14

    SHA256

    3f41d715d928c898e44a83b04d3a18ffd23ebc0b1e3ba3465aa1ae50ccc64b85

    SHA512

    5732f7b521995005baa1e79fe2b05b6e14196da028f9c0b844f06309827c0c12fc02c7a0dcdb702458c1090c1dac558c0492f01b9a39d77d0903a42c923861a9

  • memory/880-4-0x0000000000400000-0x000000000042F01F-memory.dmp

    Filesize

    188KB

  • memory/2688-6-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

  • memory/2688-5-0x0000000000470000-0x00000000004F0000-memory.dmp

    Filesize

    512KB

  • memory/2688-7-0x0000000000470000-0x00000000004F0000-memory.dmp

    Filesize

    512KB

  • memory/2688-8-0x0000000000470000-0x00000000004F0000-memory.dmp

    Filesize

    512KB

  • memory/2688-9-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.