Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/09/2024, 12:32
Static task
static1
Behavioral task
behavioral1
Sample
f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe
-
Size
200KB
-
MD5
f86118be19fedd46b59298317ca88a85
-
SHA1
0e40a37fec3ccae661bea3b7cdcf3a52d53ecf6c
-
SHA256
4544413fe80e2b9e7cda0c38e3ee1b6e7afae4a9f6aa555612b711e78b908734
-
SHA512
0e54b9fc78626c4fdea680b2cc44146fb6c45407b9cf4e828d4d3d9626c4966719b6183140b7fef2dfa266c83fa8d2fa725326745324b241262eaba0ba226c36
-
SSDEEP
3072:O4R2GQSSSey7Jbp0Xt4ClS87cH2ltaFx2YWg2QYl8sH4U9aE3yp1fm3nudE7GXLn:5Wk/WgxMg48zHwmm3d7GiE0E+K
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 6 IoCs
resource yara_rule behavioral2/memory/2680-3-0x0000000000400000-0x0000000001519000-memory.dmp modiloader_stage2 behavioral2/memory/2680-5-0x0000000000400000-0x0000000001519000-memory.dmp modiloader_stage2 behavioral2/memory/2680-20-0x0000000000400000-0x0000000001519000-memory.dmp modiloader_stage2 behavioral2/memory/1976-24-0x0000000000400000-0x0000000001519000-memory.dmp modiloader_stage2 behavioral2/memory/1976-25-0x0000000000400000-0x0000000001519000-memory.dmp modiloader_stage2 behavioral2/memory/1976-39-0x0000000000400000-0x0000000001519000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3120 mstwain32.exe 1976 mstwain32.exe -
Loads dropped DLL 4 IoCs
pid Process 1976 mstwain32.exe 1976 mstwain32.exe 1976 mstwain32.exe 1976 mstwain32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3960 set thread context of 2680 3960 f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe 83 PID 3120 set thread context of 1976 3120 mstwain32.exe 88 -
resource yara_rule behavioral2/memory/2680-1-0x0000000000400000-0x0000000001519000-memory.dmp upx behavioral2/memory/2680-3-0x0000000000400000-0x0000000001519000-memory.dmp upx behavioral2/memory/2680-2-0x0000000000400000-0x0000000001519000-memory.dmp upx behavioral2/memory/2680-5-0x0000000000400000-0x0000000001519000-memory.dmp upx behavioral2/memory/2680-20-0x0000000000400000-0x0000000001519000-memory.dmp upx behavioral2/memory/1976-24-0x0000000000400000-0x0000000001519000-memory.dmp upx behavioral2/memory/1976-25-0x0000000000400000-0x0000000001519000-memory.dmp upx behavioral2/memory/1976-39-0x0000000000400000-0x0000000001519000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\mstwain32.exe f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe File opened for modification C:\Windows\mstwain32.exe f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2680 f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe Token: SeBackupPrivilege 3636 vssvc.exe Token: SeRestorePrivilege 3636 vssvc.exe Token: SeAuditPrivilege 3636 vssvc.exe Token: SeDebugPrivilege 1976 mstwain32.exe Token: SeDebugPrivilege 1976 mstwain32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1976 mstwain32.exe 1976 mstwain32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3960 wrote to memory of 2680 3960 f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe 83 PID 3960 wrote to memory of 2680 3960 f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe 83 PID 3960 wrote to memory of 2680 3960 f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe 83 PID 3960 wrote to memory of 2680 3960 f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe 83 PID 3960 wrote to memory of 2680 3960 f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe 83 PID 2680 wrote to memory of 3120 2680 f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe 87 PID 2680 wrote to memory of 3120 2680 f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe 87 PID 2680 wrote to memory of 3120 2680 f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe 87 PID 3120 wrote to memory of 1976 3120 mstwain32.exe 88 PID 3120 wrote to memory of 1976 3120 mstwain32.exe 88 PID 3120 wrote to memory of 1976 3120 mstwain32.exe 88 PID 3120 wrote to memory of 1976 3120 mstwain32.exe 88 PID 3120 wrote to memory of 1976 3120 mstwain32.exe 88 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\f86118be19fedd46b59298317ca88a85_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe2⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\f86118be19fedd46b59298317ca88a85_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\mstwain32.exeC:\Windows\mstwain32.exe4⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1976
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD559f3b5023ba0c1903ab5495c916719b7
SHA146beb771e5b4bd2ba18f7cb41fe1deacc4e5858e
SHA25679f7cc598909fa3cdd2e3ef2965234fda783e8ff5cdc60951c3ac59d1111e477
SHA5124e94a56bca2ab9e3c55b9b9683d25a71caf0757f871d3b355474497f69bc9696adb5775077a6fedc70acf7b562638195b40e8e2c2082f3ba3b169f0717b75946
-
Filesize
200KB
MD5f86118be19fedd46b59298317ca88a85
SHA10e40a37fec3ccae661bea3b7cdcf3a52d53ecf6c
SHA2564544413fe80e2b9e7cda0c38e3ee1b6e7afae4a9f6aa555612b711e78b908734
SHA5120e54b9fc78626c4fdea680b2cc44146fb6c45407b9cf4e828d4d3d9626c4966719b6183140b7fef2dfa266c83fa8d2fa725326745324b241262eaba0ba226c36
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350