Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f86118be19...18.exe

windows7-x64

10

f86118be19...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/09/2024, 12:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe

  • Size

    200KB

  • MD5

    f86118be19fedd46b59298317ca88a85

  • SHA1

    0e40a37fec3ccae661bea3b7cdcf3a52d53ecf6c

  • SHA256

    4544413fe80e2b9e7cda0c38e3ee1b6e7afae4a9f6aa555612b711e78b908734

  • SHA512

    0e54b9fc78626c4fdea680b2cc44146fb6c45407b9cf4e828d4d3d9626c4966719b6183140b7fef2dfa266c83fa8d2fa725326745324b241262eaba0ba226c36

  • SSDEEP

    3072:O4R2GQSSSey7Jbp0Xt4ClS87cH2ltaFx2YWg2QYl8sH4U9aE3yp1fm3nudE7GXLn:5Wk/WgxMg48zHwmm3d7GiE0E+K

Score
10/10
modiloaderdiscoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Users\Admin\AppData\Local\Temp\f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe
      2⤵
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\mstwain32.exe
        "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:540
        • C:\Windows\mstwain32.exe
          C:\Windows\mstwain32.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:2812
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2220

Network

    No results found
  • 89.3.51.249:15963
    mstwain32.exe
    152 B
     3
  • 89.3.51.249:15963
    mstwain32.exe
    152 B
     3
  • 89.3.51.249:15963
    mstwain32.exe
    152 B
     3
  • 89.3.51.249:15963
    mstwain32.exe
    152 B
     3
  • 89.3.51.249:15963
    mstwain32.exe
    152 B
     3
  • 89.3.51.249:15963
    mstwain32.exe
    152 B
     3
  • 89.3.51.249:15963
    mstwain32.exe
    152 B
     3
  • 89.3.51.249:15963
    mstwain32.exe
    152 B
     3
  • 89.3.51.249:15963
    mstwain32.exe
    152 B
     3
  • 89.3.51.249:15963
    mstwain32.exe
    152 B
     3
  • 89.3.51.249:15963
    mstwain32.exe
    152 B
     3
  • 89.3.51.249:15963
    mstwain32.exe
    152 B
     3
  • 89.3.51.249:15963
    mstwain32.exe
    152 B
     3
  • 89.3.51.249:15963
    mstwain32.exe
    152 B
     3
  • 89.3.51.249:15963
    mstwain32.exe
    104 B
     2
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mstwain32.exe
    Filesize

    200KB

    MD5

    f86118be19fedd46b59298317ca88a85

    SHA1

    0e40a37fec3ccae661bea3b7cdcf3a52d53ecf6c

    SHA256

    4544413fe80e2b9e7cda0c38e3ee1b6e7afae4a9f6aa555612b711e78b908734

    SHA512

    0e54b9fc78626c4fdea680b2cc44146fb6c45407b9cf4e828d4d3d9626c4966719b6183140b7fef2dfa266c83fa8d2fa725326745324b241262eaba0ba226c36

    Download Submit

  • memory/540-24-0x0000000010000000-0x000000001001C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2364-5-0x0000000000400000-0x0000000001519000-memory.dmp

    Filesize

    17.1MB

    Download

  • memory/2364-6-0x0000000000400000-0x0000000001519000-memory.dmp

    Filesize

    17.1MB

    Download

  • memory/2364-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-3-0x0000000000400000-0x0000000001519000-memory.dmp

    Filesize

    17.1MB

    Download

  • memory/2364-0-0x0000000000400000-0x0000000001519000-memory.dmp

    Filesize

    17.1MB

    Download

  • memory/2364-9-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-10-0x0000000003EE0000-0x0000000003EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-8-0x0000000000400000-0x0000000001519000-memory.dmp

    Filesize

    17.1MB

    Download

  • memory/2364-29-0x0000000000400000-0x0000000001519000-memory.dmp

    Filesize

    17.1MB

    Download

  • memory/2408-7-0x0000000010000000-0x000000001001C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2812-33-0x0000000000400000-0x0000000001519000-memory.dmp

    Filesize

    17.1MB

    Download

  • memory/2812-30-0x0000000000400000-0x0000000001519000-memory.dmp

    Filesize

    17.1MB

    Download

  • memory/2812-35-0x00000000034C0000-0x00000000034CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2812-37-0x0000000000270000-0x0000000000278000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2812-38-0x00000000034C0000-0x00000000034CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2812-39-0x0000000000400000-0x0000000001519000-memory.dmp

    Filesize

    17.1MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.