Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2024, 00:14
Static task
static1
Behavioral task
behavioral1
Sample
fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe
-
Size
892KB
-
MD5
fd6d713bc3aa9835bce0adeba5b01498
-
SHA1
dcb84ba266a2a5d37b97a4aa9710713fd48126d7
-
SHA256
51a885b71726de417d0697f95da9157dada78d78f7c92e63e7743f9e1562fba7
-
SHA512
1fdcddb240a377a088d486be0e22f451be0e27272b26aee5b1b34be1443b2d63fdc4ae45ac1070624ad69c9af94a3e993827670401d2c2b0b6a1235d679efb85
-
SSDEEP
12288:Hmmo7YNQzGnBaWnBsPDqWOFqetuiaSwXb0lvIfU+5wOAjxAD+/ayqU9kEnhrgK05:GvwQyBaWnBCqyaaNCM2OAjxy+XjrnldA
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xpsystem32.exe -
ModiLoader Second Stage 22 IoCs
resource yara_rule behavioral2/memory/1368-4-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1368-5-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1368-6-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1368-7-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1368-10-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1368-26-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-34-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-36-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-40-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-41-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-42-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-43-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-44-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-45-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-46-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-47-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-48-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-49-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-50-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-51-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-52-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4304-53-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4228 xpsystem32.exe 4304 xpsystem32.exe -
Loads dropped DLL 1 IoCs
pid Process 4304 xpsystem32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xpsystem32 = "C:\\Windows\\xpsystem32.exe" xpsystem32.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xpsystem32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xpsystem32.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1572 set thread context of 1368 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 82 PID 4228 set thread context of 4304 4228 xpsystem32.exe 87 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\ntdtcstp.dll xpsystem32.exe File created C:\Windows\xpsystem32.exe fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe File opened for modification C:\Windows\xpsystem32.exe fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpsystem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpsystem32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1368 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe Token: SeBackupPrivilege 3748 vssvc.exe Token: SeRestorePrivilege 3748 vssvc.exe Token: SeAuditPrivilege 3748 vssvc.exe Token: SeDebugPrivilege 4304 xpsystem32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 4228 xpsystem32.exe 4228 xpsystem32.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1572 wrote to memory of 1368 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 82 PID 1572 wrote to memory of 1368 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 82 PID 1572 wrote to memory of 1368 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 82 PID 1572 wrote to memory of 1368 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 82 PID 1572 wrote to memory of 1368 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 82 PID 1572 wrote to memory of 1368 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 82 PID 1572 wrote to memory of 1368 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 82 PID 1572 wrote to memory of 1368 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 82 PID 1572 wrote to memory of 1368 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 82 PID 1572 wrote to memory of 1368 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 82 PID 1572 wrote to memory of 1368 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 82 PID 1572 wrote to memory of 1368 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 82 PID 1572 wrote to memory of 1368 1572 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 82 PID 1368 wrote to memory of 4228 1368 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 86 PID 1368 wrote to memory of 4228 1368 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 86 PID 1368 wrote to memory of 4228 1368 fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe 86 PID 4228 wrote to memory of 4304 4228 xpsystem32.exe 87 PID 4228 wrote to memory of 4304 4228 xpsystem32.exe 87 PID 4228 wrote to memory of 4304 4228 xpsystem32.exe 87 PID 4228 wrote to memory of 4304 4228 xpsystem32.exe 87 PID 4228 wrote to memory of 4304 4228 xpsystem32.exe 87 PID 4228 wrote to memory of 4304 4228 xpsystem32.exe 87 PID 4228 wrote to memory of 4304 4228 xpsystem32.exe 87 PID 4228 wrote to memory of 4304 4228 xpsystem32.exe 87 PID 4228 wrote to memory of 4304 4228 xpsystem32.exe 87 PID 4228 wrote to memory of 4304 4228 xpsystem32.exe 87 PID 4228 wrote to memory of 4304 4228 xpsystem32.exe 87 PID 4228 wrote to memory of 4304 4228 xpsystem32.exe 87 PID 4228 wrote to memory of 4304 4228 xpsystem32.exe 87 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xpsystem32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe2⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\xpsystem32.exe"C:\Windows\xpsystem32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\fd6d713bc3aa9835bce0adeba5b01498_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\xpsystem32.exeC:\Windows\xpsystem32.exe4⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4304
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD53f689ab34ba20ffbc647f3c4ce7c9c92
SHA10275be6c5d43a4916f4b6b2b4aa06398e193206f
SHA256003eb1ba56dc99c6a6d4e8f35233edcee64aa8001ac5f7289369cae2325ff019
SHA5125336b3d410c21746a81a67c1b0da791d5592d4dc42fe559bc9b12a89b6bc6aef04b385a1566e55a7599c2489741ee7b0953f9cb0b3b5b9a9feb006678e2bdbce
-
Filesize
892KB
MD5fd6d713bc3aa9835bce0adeba5b01498
SHA1dcb84ba266a2a5d37b97a4aa9710713fd48126d7
SHA25651a885b71726de417d0697f95da9157dada78d78f7c92e63e7743f9e1562fba7
SHA5121fdcddb240a377a088d486be0e22f451be0e27272b26aee5b1b34be1443b2d63fdc4ae45ac1070624ad69c9af94a3e993827670401d2c2b0b6a1235d679efb85
-
Filesize
14B
MD5c35621097d0cfbd84ab0ddc86e243e42
SHA1b6fb249e3ab5e159a751d49561281de8069ce764
SHA256929df5f139e9829c097d555324247fe0d2e5fa8b3902812ddfe2b47dc18fbc2f
SHA51228133fae11a5379bf1c4e14291512d62e0ce8e1bb3218502f6b707f7dc3694809bb473d6291dca7ea19ce74b9a491f59bf970ff8bb1038f7734a48a330d97f92