Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

fa0affb22c...18.exe

windows7-x64

10

fa0affb22c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 08:13 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe

  • Size

    181KB

  • MD5

    fa0affb22c9b2755e536a0a44e555164

  • SHA1

    4eaf3d57e969f72f4140f3e9301e03d59bfa9cdb

  • SHA256

    df8c2a40c95c32cfd14666d8b595fe44df58f34784dece3ff661220ef5566527

  • SHA512

    2d8d1ecdc52a7dc71b047dc8ea3bdf724f1098984f5b7f2b23ffc5936cb09600e78d9ee17c675f4a27e3d1f8439dbe9185a850a6862e7d116ecb57c02b28ce4f

  • SSDEEP

    3072:YDCuZBz4kQZbXQRH2mlj7ud7s01Dp7oOM7w4C:YDCC45Zb2WW6dY0Jp7oLf

Score
10/10
modiloaderdiscoverypersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1372
      • C:\Users\Admin\AppData\Local\Temp\fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:488
        • C:\Windows\apocalyps32.exe
          -bs
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1020
          • C:\Windows\apocalyps32.exe
            "C:\Windows\apocalyps32.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            PID:756

    Network

      No results found
    • 127.0.0.1:1453
      apocalyps32.exe
    • 192.168.1.2:1453
      apocalyps32.exe
      152 B
       3
    • 192.168.1.3:1453
      apocalyps32.exe
      152 B
       3
    • 192.168.1.4:1453
      apocalyps32.exe
      152 B
       3
    • 192.168.1.5:1453
      apocalyps32.exe
      152 B
       3
    • 192.168.1.2:1453
      apocalyps32.exe
      152 B
       3
    • 127.0.0.1:1453
      apocalyps32.exe
    • 192.168.1.5:1453
      apocalyps32.exe
      152 B
       3
    • 192.168.1.2:1453
      apocalyps32.exe
      152 B
       3
    • 192.168.1.4:1453
      apocalyps32.exe
      152 B
       3
    • 192.168.1.3:1453
      apocalyps32.exe
      152 B
       3
    • 192.168.1.2:1453
      apocalyps32.exe
      152 B
       3
    • 127.0.0.1:1453
      apocalyps32.exe
    • 192.168.1.5:1453
      apocalyps32.exe
      152 B
       3
    • 127.0.0.1:1453
      apocalyps32.exe
    No results found

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\apocalyps32.exe
      Filesize

      181KB

      MD5

      fa0affb22c9b2755e536a0a44e555164

      SHA1

      4eaf3d57e969f72f4140f3e9301e03d59bfa9cdb

      SHA256

      df8c2a40c95c32cfd14666d8b595fe44df58f34784dece3ff661220ef5566527

      SHA512

      2d8d1ecdc52a7dc71b047dc8ea3bdf724f1098984f5b7f2b23ffc5936cb09600e78d9ee17c675f4a27e3d1f8439dbe9185a850a6862e7d116ecb57c02b28ce4f

      Download Submit

    • memory/488-0-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/488-6-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/756-11-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/756-23-0x0000000000350000-0x0000000000351000-memory.dmp

      Filesize

      4KB

      Download

    • memory/756-17-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/756-254-0x0000000040010000-0x000000004004B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/756-270-0x0000000040010000-0x000000004004B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/1020-8-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1020-253-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.