Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 10:25
Behavioral task
behavioral1
Sample
fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
fa3ba3247af3ef3d0f814a62a3e62497
-
SHA1
b7f72fc763c2190995348112d2c81100edd667b5
-
SHA256
4d22f64874665c233a0ff8092f98a8320908058a45fbd535b042c3c31fd3c993
-
SHA512
90b322f47bde6ad80d4701d239fcae2d22ba5f430cc4c98a5294f0e4bc899ab5d34b000d2acf124a04e3654e1b0e962e1941d7418f478a921ddece72841f94ad
-
SSDEEP
49152:F/+nwLepp/O2r1+AFhHBGF5nX2nCTNcOCFinZ:owLK5O2oArhnCT6inZ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 6 IoCs
resource yara_rule behavioral1/memory/264-6-0x0000000000400000-0x0000000000769000-memory.dmp modiloader_stage2 behavioral1/memory/264-7-0x0000000000400000-0x0000000000769000-memory.dmp modiloader_stage2 behavioral1/memory/264-14-0x0000000005960000-0x0000000005CC9000-memory.dmp modiloader_stage2 behavioral1/memory/2236-39-0x0000000000400000-0x0000000000769000-memory.dmp modiloader_stage2 behavioral1/memory/264-40-0x0000000000400000-0x0000000000769000-memory.dmp modiloader_stage2 behavioral1/memory/2236-29-0x0000000000400000-0x0000000000769000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 2592 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2236 Erverery.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine Erverery.exe -
Loads dropped DLL 2 IoCs
pid Process 264 fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe 264 fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/264-0-0x0000000000400000-0x0000000000769000-memory.dmp themida behavioral1/memory/264-6-0x0000000000400000-0x0000000000769000-memory.dmp themida behavioral1/memory/264-7-0x0000000000400000-0x0000000000769000-memory.dmp themida behavioral1/files/0x000c00000001225b-8.dat themida behavioral1/memory/2236-17-0x0000000000400000-0x0000000000769000-memory.dmp themida behavioral1/memory/2236-18-0x0000000000400000-0x0000000000769000-memory.dmp themida behavioral1/memory/2236-19-0x0000000000400000-0x0000000000769000-memory.dmp themida behavioral1/memory/2604-27-0x0000000000400000-0x0000000000769000-memory.dmp themida behavioral1/memory/2236-39-0x0000000000400000-0x0000000000769000-memory.dmp themida behavioral1/memory/264-40-0x0000000000400000-0x0000000000769000-memory.dmp themida behavioral1/memory/2236-29-0x0000000000400000-0x0000000000769000-memory.dmp themida -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_Erverery.exe Erverery.exe File opened for modification C:\Windows\SysWOW64\_Erverery.exe Erverery.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2236 set thread context of 2604 2236 Erverery.exe 32 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Erverery.exe fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\Erverery.exe fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Erverery.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 264 fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe 2236 Erverery.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 264 wrote to memory of 2236 264 fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe 31 PID 264 wrote to memory of 2236 264 fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe 31 PID 264 wrote to memory of 2236 264 fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe 31 PID 264 wrote to memory of 2236 264 fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe 31 PID 2236 wrote to memory of 2604 2236 Erverery.exe 32 PID 2236 wrote to memory of 2604 2236 Erverery.exe 32 PID 2236 wrote to memory of 2604 2236 Erverery.exe 32 PID 2236 wrote to memory of 2604 2236 Erverery.exe 32 PID 2236 wrote to memory of 2604 2236 Erverery.exe 32 PID 2236 wrote to memory of 2604 2236 Erverery.exe 32 PID 2236 wrote to memory of 2624 2236 Erverery.exe 33 PID 2236 wrote to memory of 2624 2236 Erverery.exe 33 PID 2236 wrote to memory of 2624 2236 Erverery.exe 33 PID 2236 wrote to memory of 2624 2236 Erverery.exe 33 PID 264 wrote to memory of 2592 264 fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe 34 PID 264 wrote to memory of 2592 264 fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe 34 PID 264 wrote to memory of 2592 264 fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe 34 PID 264 wrote to memory of 2592 264 fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\Erverery.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Erverery.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:2604
-
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵PID:2624
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212B
MD5eb3dcc95ea73f74e56d62b991473a0ce
SHA1ab96ca7b9d50dfd4974860f840ffcedcb2bebf7f
SHA256f95030c430a28693fe39527241b6ff9795c5b0777eee77247fac585a241d69a6
SHA5129c6ed298dd1980f71e1246cc0d0d0e9258c76ec88a6eb09ab709e62ca0eecffa1339109dff45c90af4f4042075ca5fd88a7052803461050f827a650f4079f9f2
-
Filesize
1.6MB
MD5fa3ba3247af3ef3d0f814a62a3e62497
SHA1b7f72fc763c2190995348112d2c81100edd667b5
SHA2564d22f64874665c233a0ff8092f98a8320908058a45fbd535b042c3c31fd3c993
SHA51290b322f47bde6ad80d4701d239fcae2d22ba5f430cc4c98a5294f0e4bc899ab5d34b000d2acf124a04e3654e1b0e962e1941d7418f478a921ddece72841f94ad