Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 10:25

General

  • Target

    fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    fa3ba3247af3ef3d0f814a62a3e62497

  • SHA1

    b7f72fc763c2190995348112d2c81100edd667b5

  • SHA256

    4d22f64874665c233a0ff8092f98a8320908058a45fbd535b042c3c31fd3c993

  • SHA512

    90b322f47bde6ad80d4701d239fcae2d22ba5f430cc4c98a5294f0e4bc899ab5d34b000d2acf124a04e3654e1b0e962e1941d7418f478a921ddece72841f94ad

  • SSDEEP

    49152:F/+nwLepp/O2r1+AFhHBGF5nX2nCTNcOCFinZ:owLK5O2oArhnCT6inZ

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 6 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 2 IoCs
  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fa3ba3247af3ef3d0f814a62a3e62497_JaffaCakes118.exe"
    1⤵
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:264
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\Erverery.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Erverery.exe"
      2⤵
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Windows\SysWOW64\calc.exe
        "C:\Windows\system32\calc.exe"
        3⤵
          PID:2604
        • C:\program files\internet explorer\IEXPLORE.EXE
          "C:\program files\internet explorer\IEXPLORE.EXE"
          3⤵
            PID:2624
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""
          2⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2592

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\Microsoft Shared\MSInfo\Delet.bat

        Filesize

        212B

        MD5

        eb3dcc95ea73f74e56d62b991473a0ce

        SHA1

        ab96ca7b9d50dfd4974860f840ffcedcb2bebf7f

        SHA256

        f95030c430a28693fe39527241b6ff9795c5b0777eee77247fac585a241d69a6

        SHA512

        9c6ed298dd1980f71e1246cc0d0d0e9258c76ec88a6eb09ab709e62ca0eecffa1339109dff45c90af4f4042075ca5fd88a7052803461050f827a650f4079f9f2

      • \Program Files\Common Files\Microsoft Shared\MSInfo\Erverery.exe

        Filesize

        1.6MB

        MD5

        fa3ba3247af3ef3d0f814a62a3e62497

        SHA1

        b7f72fc763c2190995348112d2c81100edd667b5

        SHA256

        4d22f64874665c233a0ff8092f98a8320908058a45fbd535b042c3c31fd3c993

        SHA512

        90b322f47bde6ad80d4701d239fcae2d22ba5f430cc4c98a5294f0e4bc899ab5d34b000d2acf124a04e3654e1b0e962e1941d7418f478a921ddece72841f94ad

      • memory/264-16-0x0000000005960000-0x0000000005CC9000-memory.dmp

        Filesize

        3.4MB

      • memory/264-2-0x0000000000270000-0x0000000000271000-memory.dmp

        Filesize

        4KB

      • memory/264-7-0x0000000000400000-0x0000000000769000-memory.dmp

        Filesize

        3.4MB

      • memory/264-3-0x0000000000401000-0x0000000000452000-memory.dmp

        Filesize

        324KB

      • memory/264-1-0x0000000000770000-0x0000000000869000-memory.dmp

        Filesize

        996KB

      • memory/264-14-0x0000000005960000-0x0000000005CC9000-memory.dmp

        Filesize

        3.4MB

      • memory/264-0-0x0000000000400000-0x0000000000769000-memory.dmp

        Filesize

        3.4MB

      • memory/264-6-0x0000000000400000-0x0000000000769000-memory.dmp

        Filesize

        3.4MB

      • memory/264-40-0x0000000000400000-0x0000000000769000-memory.dmp

        Filesize

        3.4MB

      • memory/2236-17-0x0000000000400000-0x0000000000769000-memory.dmp

        Filesize

        3.4MB

      • memory/2236-39-0x0000000000400000-0x0000000000769000-memory.dmp

        Filesize

        3.4MB

      • memory/2236-19-0x0000000000400000-0x0000000000769000-memory.dmp

        Filesize

        3.4MB

      • memory/2236-18-0x0000000000400000-0x0000000000769000-memory.dmp

        Filesize

        3.4MB

      • memory/2236-29-0x0000000000400000-0x0000000000769000-memory.dmp

        Filesize

        3.4MB

      • memory/2604-27-0x0000000000400000-0x0000000000769000-memory.dmp

        Filesize

        3.4MB

      • memory/2604-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB