Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 04:18
Behavioral task
behavioral1
Sample
fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
fb7d1c076a51b5b38f11de3747b3ec93
-
SHA1
4ff46496372ab5d15d2a0d3ef7345a0d062d973b
-
SHA256
e0dc9970bcab8579699aefa136f1ffaa1eef1100fe5b5290bd9afee1d0dac07f
-
SHA512
084d918901454278d1f51e1d0bd8370572191e2205688ae1e02ce49113a681c8adc516b08a3f7a1e1572db6569a68ddf3ba603eb52c1f890a4eb1e5ef34ab95f
-
SSDEEP
24576:nSiOuvRfZ+JgAj/00weVcTS7RssiRZ+VT:rRf4JD80+RZQT
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mvrsynci.exe -
ModiLoader Second Stage 16 IoCs
resource yara_rule behavioral2/files/0x000400000001dae6-5.dat modiloader_stage2 behavioral2/memory/2456-11-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 behavioral2/memory/336-28-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 behavioral2/memory/336-32-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 behavioral2/memory/336-35-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 behavioral2/memory/336-39-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 behavioral2/memory/336-42-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 behavioral2/memory/336-47-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 behavioral2/memory/336-50-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 behavioral2/memory/336-54-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 behavioral2/memory/336-57-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 behavioral2/memory/336-60-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 behavioral2/memory/336-64-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 behavioral2/memory/336-67-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 behavioral2/memory/336-71-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 behavioral2/memory/336-75-0x0000000000400000-0x0000000000550000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 336 mvrsynci.exe -
Loads dropped DLL 4 IoCs
pid Process 336 mvrsynci.exe 336 mvrsynci.exe 336 mvrsynci.exe 336 mvrsynci.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mvrsynci.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mvrsynci.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\mvrsynci.exe fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe File opened for modification C:\Windows\mvrsynci.exe fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe File created C:\Windows\drvstore.dll mvrsynci.exe File created C:\Windows\bguiv32.dll mvrsynci.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mvrsynci.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2456 fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe Token: SeBackupPrivilege 712 vssvc.exe Token: SeRestorePrivilege 712 vssvc.exe Token: SeAuditPrivilege 712 vssvc.exe Token: SeDebugPrivilege 336 mvrsynci.exe Token: SeDebugPrivilege 336 mvrsynci.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2456 fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 336 mvrsynci.exe 336 mvrsynci.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2456 wrote to memory of 336 2456 fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe 85 PID 2456 wrote to memory of 336 2456 fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe 85 PID 2456 wrote to memory of 336 2456 fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe 85 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mvrsynci.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb7d1c076a51b5b38f11de3747b3ec93_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\mvrsynci.exe"C:\Windows\mvrsynci.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:336
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:712
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5de7742afca757a91dcb42ff4468d5a08
SHA15deb946923925d6b5bf35048d3ef8ea956b3826c
SHA256d9e99bd16faffedc7da8916381075f80b89760fd68565ffff67c10febff95659
SHA512b04654a048e3a037c1393833bb4e033046c0fc5f68cfdcad031f7f1e0797e69737b23f418d835b5024bc3e2231341b41e4bfa3eac554a24edeb4ad699a1f56b4
-
Filesize
7KB
MD593bae90d90a7bebcc0167475c3339176
SHA1e2718ed2e45fbeff7a75a5eabae3a8db0c27fda0
SHA256ea2470ec435de4baab58195cbd4ac7866e61eb85d76fa5261f16c2a85e587693
SHA5126f8abc03302a4a66b0ba1e3138873203e129d77a0932b766f55701efa7c3d9ab17f50dc5131d2ffe5ab035e9eb7d4ce055506830df2a5497b849171e30d35500
-
Filesize
1.3MB
MD5fb7d1c076a51b5b38f11de3747b3ec93
SHA14ff46496372ab5d15d2a0d3ef7345a0d062d973b
SHA256e0dc9970bcab8579699aefa136f1ffaa1eef1100fe5b5290bd9afee1d0dac07f
SHA512084d918901454278d1f51e1d0bd8370572191e2205688ae1e02ce49113a681c8adc516b08a3f7a1e1572db6569a68ddf3ba603eb52c1f890a4eb1e5ef34ab95f