Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26/09/2024, 21:00
Behavioral task
behavioral1
Sample
f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe
-
Size
273KB
-
MD5
f92a411ea31666fae2c8213055ed34eb
-
SHA1
24f0dddeae69510c82565e5a12e646c59f5e7c33
-
SHA256
757e0d1e1c2e9bb8685d9c69c9b8bfc04e59a199d7616cb217b3ff011ffdc78c
-
SHA512
cf1a63f4ade1599d66558fc304c6b58f6dd03c7623457c0c038886b19b70e5383aa53243e48552da53459caf2295db0adb0f823dc5fb9dd69e5de6ef683e2dbe
-
SSDEEP
6144:kG377xS2Vp2CeiorXdwTBgWx4W53ypcCJJvH:fr7xS2Vp6RwTyCKbJJvH
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 16 IoCs
resource yara_rule behavioral1/files/0x00060000000055cf-4.dat modiloader_stage2 behavioral1/memory/2184-8-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/1420-18-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/1420-22-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/1420-25-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/1420-28-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/1420-31-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/1420-35-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/1420-38-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/1420-41-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/1420-44-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/1420-47-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/1420-50-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/1420-53-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/1420-56-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 behavioral1/memory/1420-59-0x0000000000400000-0x000000000044C000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 1420 mstwain32.exe -
Executes dropped EXE 1 IoCs
pid Process 1420 mstwain32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\mstwain32.exe f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe File opened for modification C:\Windows\mstwain32.exe f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2184 f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe Token: SeBackupPrivilege 2724 vssvc.exe Token: SeRestorePrivilege 2724 vssvc.exe Token: SeAuditPrivilege 2724 vssvc.exe Token: SeDebugPrivilege 1420 mstwain32.exe Token: SeDebugPrivilege 1420 mstwain32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1420 mstwain32.exe 1420 mstwain32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2184 wrote to memory of 1420 2184 f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe 33 PID 2184 wrote to memory of 1420 2184 f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe 33 PID 2184 wrote to memory of 1420 2184 f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe 33 PID 2184 wrote to memory of 1420 2184 f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe 33 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe"1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\f92a411ea31666fae2c8213055ed34eb_JaffaCakes118.exe"2⤵
- UAC bypass
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1420
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
273KB
MD5f92a411ea31666fae2c8213055ed34eb
SHA124f0dddeae69510c82565e5a12e646c59f5e7c33
SHA256757e0d1e1c2e9bb8685d9c69c9b8bfc04e59a199d7616cb217b3ff011ffdc78c
SHA512cf1a63f4ade1599d66558fc304c6b58f6dd03c7623457c0c038886b19b70e5383aa53243e48552da53459caf2295db0adb0f823dc5fb9dd69e5de6ef683e2dbe