Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 08:36
Behavioral task
behavioral1
Sample
fa13973fbe1242a9c35c6eb29f6c451d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fa13973fbe1242a9c35c6eb29f6c451d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fa13973fbe1242a9c35c6eb29f6c451d_JaffaCakes118.exe
-
Size
183KB
-
MD5
fa13973fbe1242a9c35c6eb29f6c451d
-
SHA1
4b2131058fee9ee5b8b362b66854ac52e34ede8c
-
SHA256
9fd2e5eb1f2bde085b8a1229a10062293bb0a9eac096f15b94401166a7995e38
-
SHA512
f3c9fe048cf535d1bbae52da5d0fbbc7c16331b3410897e4d8e024eef215f4d5da85b10c6c976594b0abf04d0325a897dbc5573d81ae745c9a79d4991e444456
-
SSDEEP
3072:mhOTFkw20+9FmwSh8HJvJkIS0KixLz6LUcMGgJzKY8n0tavrjU:X20+Hmhh8cb0vp6LYrAzdDj
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/2948-11-0x0000000000400000-0x0000000000435000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation fa13973fbe1242a9c35c6eb29f6c451d_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4600 Server.exe 4496 Server.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4600 set thread context of 4496 4600 Server.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4520 4496 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa13973fbe1242a9c35c6eb29f6c451d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2948 wrote to memory of 4600 2948 fa13973fbe1242a9c35c6eb29f6c451d_JaffaCakes118.exe 82 PID 2948 wrote to memory of 4600 2948 fa13973fbe1242a9c35c6eb29f6c451d_JaffaCakes118.exe 82 PID 2948 wrote to memory of 4600 2948 fa13973fbe1242a9c35c6eb29f6c451d_JaffaCakes118.exe 82 PID 4600 wrote to memory of 4496 4600 Server.exe 83 PID 4600 wrote to memory of 4496 4600 Server.exe 83 PID 4600 wrote to memory of 4496 4600 Server.exe 83 PID 4600 wrote to memory of 4496 4600 Server.exe 83 PID 4600 wrote to memory of 4496 4600 Server.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa13973fbe1242a9c35c6eb29f6c451d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa13973fbe1242a9c35c6eb29f6c451d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp\Server.exe3⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 124⤵
- Program crash
PID:4520
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4496 -ip 44961⤵PID:1240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD54322b83800b84808639e205c0b28f8b1
SHA1bca88869c00fcc72b545453c03f110357b539f10
SHA256897d010ae0336c60bab676b749c8e885df169f9597f9165049b9e716dd261675
SHA51252e54315fc5b60ce14b16253e00a50c73a2af64cc5180de0fc0c5d916bb5d8b3af9b3bc5f067e7387bd069d46c23123c302ba020331d7d56847e158b37d688dc