Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 08:13
Behavioral task
behavioral1
Sample
fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe
-
Size
181KB
-
MD5
fa0affb22c9b2755e536a0a44e555164
-
SHA1
4eaf3d57e969f72f4140f3e9301e03d59bfa9cdb
-
SHA256
df8c2a40c95c32cfd14666d8b595fe44df58f34784dece3ff661220ef5566527
-
SHA512
2d8d1ecdc52a7dc71b047dc8ea3bdf724f1098984f5b7f2b23ffc5936cb09600e78d9ee17c675f4a27e3d1f8439dbe9185a850a6862e7d116ecb57c02b28ce4f
-
SSDEEP
3072:YDCuZBz4kQZbXQRH2mlj7ud7s01Dp7oOM7w4C:YDCC45Zb2WW6dY0Jp7oLf
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "userinit.exe,C:\\Windows\\apocalyps32.exe" apocalyps32.exe -
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/756-254-0x0000000040010000-0x000000004004B000-memory.dmp modiloader_stage2 behavioral1/memory/756-270-0x0000000040010000-0x000000004004B000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 1020 apocalyps32.exe 756 apocalyps32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\apocalyps32 = "C:\\Windows\\apocalyps32.exe" apocalyps32.exe -
resource yara_rule behavioral1/memory/488-0-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/files/0x000b000000012233-5.dat upx behavioral1/memory/488-6-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/1020-8-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/1020-253-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/756-254-0x0000000040010000-0x000000004004B000-memory.dmp upx behavioral1/memory/756-270-0x0000000040010000-0x000000004004B000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\apocalyps32.exe fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe File opened for modification C:\Windows\apocalyps32.exe fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe File created C:\Windows\apocalyps32.exe apocalyps32.exe File opened for modification C:\Windows\becool123_14910F8B\ServerLogs\Admin\27-09-2024 apocalyps32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apocalyps32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apocalyps32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 apocalyps32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz apocalyps32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 756 apocalyps32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 756 apocalyps32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 488 wrote to memory of 1020 488 fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe 29 PID 488 wrote to memory of 1020 488 fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe 29 PID 488 wrote to memory of 1020 488 fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe 29 PID 488 wrote to memory of 1020 488 fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe 29 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30 PID 1020 wrote to memory of 756 1020 apocalyps32.exe 30
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\apocalyps32.exe-bs3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\apocalyps32.exe"C:\Windows\apocalyps32.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:756
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181KB
MD5fa0affb22c9b2755e536a0a44e555164
SHA14eaf3d57e969f72f4140f3e9301e03d59bfa9cdb
SHA256df8c2a40c95c32cfd14666d8b595fe44df58f34784dece3ff661220ef5566527
SHA5122d8d1ecdc52a7dc71b047dc8ea3bdf724f1098984f5b7f2b23ffc5936cb09600e78d9ee17c675f4a27e3d1f8439dbe9185a850a6862e7d116ecb57c02b28ce4f