Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 08:13 UTC

General

  • Target

    fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe

  • Size

    181KB

  • MD5

    fa0affb22c9b2755e536a0a44e555164

  • SHA1

    4eaf3d57e969f72f4140f3e9301e03d59bfa9cdb

  • SHA256

    df8c2a40c95c32cfd14666d8b595fe44df58f34784dece3ff661220ef5566527

  • SHA512

    2d8d1ecdc52a7dc71b047dc8ea3bdf724f1098984f5b7f2b23ffc5936cb09600e78d9ee17c675f4a27e3d1f8439dbe9185a850a6862e7d116ecb57c02b28ce4f

  • SSDEEP

    3072:YDCuZBz4kQZbXQRH2mlj7ud7s01Dp7oOM7w4C:YDCC45Zb2WW6dY0Jp7oLf

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1372
      • C:\Users\Admin\AppData\Local\Temp\fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\fa0affb22c9b2755e536a0a44e555164_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:488
        • C:\Windows\apocalyps32.exe
          -bs
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1020
          • C:\Windows\apocalyps32.exe
            "C:\Windows\apocalyps32.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            PID:756

    Network

      No results found
    • 127.0.0.1:1453
      apocalyps32.exe
    • 192.168.1.2:1453
      apocalyps32.exe
      152 B
      3
    • 192.168.1.3:1453
      apocalyps32.exe
      152 B
      3
    • 192.168.1.4:1453
      apocalyps32.exe
      152 B
      3
    • 192.168.1.5:1453
      apocalyps32.exe
      152 B
      3
    • 192.168.1.2:1453
      apocalyps32.exe
      152 B
      3
    • 127.0.0.1:1453
      apocalyps32.exe
    • 192.168.1.5:1453
      apocalyps32.exe
      152 B
      3
    • 192.168.1.2:1453
      apocalyps32.exe
      152 B
      3
    • 192.168.1.4:1453
      apocalyps32.exe
      152 B
      3
    • 192.168.1.3:1453
      apocalyps32.exe
      152 B
      3
    • 192.168.1.2:1453
      apocalyps32.exe
      152 B
      3
    • 127.0.0.1:1453
      apocalyps32.exe
    • 192.168.1.5:1453
      apocalyps32.exe
      152 B
      3
    • 127.0.0.1:1453
      apocalyps32.exe
    No results found

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\apocalyps32.exe

      Filesize

      181KB

      MD5

      fa0affb22c9b2755e536a0a44e555164

      SHA1

      4eaf3d57e969f72f4140f3e9301e03d59bfa9cdb

      SHA256

      df8c2a40c95c32cfd14666d8b595fe44df58f34784dece3ff661220ef5566527

      SHA512

      2d8d1ecdc52a7dc71b047dc8ea3bdf724f1098984f5b7f2b23ffc5936cb09600e78d9ee17c675f4a27e3d1f8439dbe9185a850a6862e7d116ecb57c02b28ce4f

    • memory/488-0-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/488-6-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/756-11-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

    • memory/756-23-0x0000000000350000-0x0000000000351000-memory.dmp

      Filesize

      4KB

    • memory/756-17-0x00000000001D0000-0x00000000001D1000-memory.dmp

      Filesize

      4KB

    • memory/756-254-0x0000000040010000-0x000000004004B000-memory.dmp

      Filesize

      236KB

    • memory/756-270-0x0000000040010000-0x000000004004B000-memory.dmp

      Filesize

      236KB

    • memory/1020-8-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1020-253-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.