Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 12:16
Behavioral task
behavioral1
Sample
fa641edc81ec21b0bda7d6e47bd23a10_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
fa641edc81ec21b0bda7d6e47bd23a10_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fa641edc81ec21b0bda7d6e47bd23a10_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
fa641edc81ec21b0bda7d6e47bd23a10
-
SHA1
1a78415d815d1b974389b4824c2c5b082209a84c
-
SHA256
2f74e41c8484e679aa1cf3ec97b5aadfcca0ec8d4fa75d325ae735223a7734a5
-
SHA512
6e52986e834ceb49e70c645552ed2c38438bf385d48793a57983bc892577fef0da3f940090086ae7d8636427f845e75a11f9093c4d16a9f45324c732feb97dae
-
SSDEEP
24576:ix03nIlcXgYZhukuphb03nZupGxe9qee4fjuS2Vp6RwT6JvHF:ix0ycXgYWFX0cz9/e4f0p6ST6dl
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 16 IoCs
resource yara_rule behavioral2/files/0x00080000000233fb-22.dat modiloader_stage2 behavioral2/memory/1572-40-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3180-60-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3180-65-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3180-68-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3180-71-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3180-74-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3180-77-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3180-80-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3180-83-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3180-86-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3180-89-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3180-92-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3180-95-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3180-98-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3180-101-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation fa641edc81ec21b0bda7d6e47bd23a10_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation turkojan.exe -
Executes dropped EXE 3 IoCs
pid Process 4452 Minecraft.exe 1572 turkojan.exe 3180 mstwain32.exe -
Loads dropped DLL 6 IoCs
pid Process 3180 mstwain32.exe 3180 mstwain32.exe 3180 mstwain32.exe 3180 mstwain32.exe 4452 Minecraft.exe 4452 Minecraft.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA turkojan.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\mstwain32.exe turkojan.exe File opened for modification C:\Windows\mstwain32.exe turkojan.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Minecraft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language turkojan.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1572 turkojan.exe Token: SeDebugPrivilege 3180 mstwain32.exe Token: SeDebugPrivilege 3180 mstwain32.exe Token: SeDebugPrivilege 4452 Minecraft.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3180 mstwain32.exe 3180 mstwain32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4080 wrote to memory of 4452 4080 fa641edc81ec21b0bda7d6e47bd23a10_JaffaCakes118.exe 82 PID 4080 wrote to memory of 4452 4080 fa641edc81ec21b0bda7d6e47bd23a10_JaffaCakes118.exe 82 PID 4080 wrote to memory of 4452 4080 fa641edc81ec21b0bda7d6e47bd23a10_JaffaCakes118.exe 82 PID 4080 wrote to memory of 1572 4080 fa641edc81ec21b0bda7d6e47bd23a10_JaffaCakes118.exe 83 PID 4080 wrote to memory of 1572 4080 fa641edc81ec21b0bda7d6e47bd23a10_JaffaCakes118.exe 83 PID 4080 wrote to memory of 1572 4080 fa641edc81ec21b0bda7d6e47bd23a10_JaffaCakes118.exe 83 PID 1572 wrote to memory of 3180 1572 turkojan.exe 84 PID 1572 wrote to memory of 3180 1572 turkojan.exe 84 PID 1572 wrote to memory of 3180 1572 turkojan.exe 84 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa641edc81ec21b0bda7d6e47bd23a10_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa641edc81ec21b0bda7d6e47bd23a10_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\Minecraft.exe"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Users\Admin\AppData\Local\Temp\turkojan.exe"C:\Users\Admin\AppData\Local\Temp\turkojan.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3180
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
679KB
MD5605a171c61a0607bdcf6be80ed07cf95
SHA1477d4391b0d84406127e43ead289a3596ac1e5e5
SHA25609b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9
SHA5123b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338
-
Filesize
270KB
MD5d653d7589ab105309802257ae34ad2c6
SHA12a6cec5747d24282b4a1a11f6466d995f1915b0f
SHA25664d9facd7ded7298e3023a06905f7e76efc23b8d7d887c9b7046804b836fa4cc
SHA512a9f49ed02382d2e367a99ba123eee2dea768d9a3923c0ebb3c56e4b170985000cbd1ae9519b8fb5fa34245f5a0410d0464c1e35a3c35762c61b0f2f016d26e54
-
Filesize
33KB
MD552ba2fae7475c4861c79f6d38f7ef25f
SHA104896b6834354fb7895c62c48d6d14569db5764e
SHA25612893275587056471ba411d4b6fb3d5d80aa572fcb9cfd1bc1a5fa4053a42135
SHA512c0d5c18c02885aaf3fde0ace5e70117c3378f1f90b64fd54ac7580203660ed303923a46df8d0aa15dd456f61f0972669ce2f8b15f6452c23bc12e40c8082fbd9
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350