Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 05:29
Static task
static1
Behavioral task
behavioral1
Sample
89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe
-
Size
521KB
-
MD5
89d8eb69709a093a463be1b96a13c34c
-
SHA1
0050623de9db92310232d016b7faf3ac4723682f
-
SHA256
e2ea44103a510f3381b573b2082c029ca0e51411bf380c3fe02376c5114496e9
-
SHA512
0a2c877c17ab9ef661cb3b5250bcc6a8daab0b4cc07ecf8b50acdac45aeda65dd7cc51453595b04181a7a29766b0f4b909a5adfa2918eb6907fb960ca636d670
-
SSDEEP
12288:hNVmFGuqxGXElwkcR9himlNXDlvq28mnkRaoUa1jlojcnaz9y:hfuGGXEWkG5xvaR/Ua1Wjc
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral2/memory/3284-12-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/3284-13-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral2/memory/3284-15-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 468 tmp.exe 3284 tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 468 set thread context of 3284 468 tmp.exe 85 -
resource yara_rule behavioral2/memory/3284-7-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/3284-11-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/3284-12-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/3284-13-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral2/memory/3284-15-0x0000000000400000-0x0000000000451000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3284 tmp.exe Token: SeBackupPrivilege 2576 vssvc.exe Token: SeRestorePrivilege 2576 vssvc.exe Token: SeAuditPrivilege 2576 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3284 tmp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3460 89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3460 wrote to memory of 468 3460 89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe 84 PID 3460 wrote to memory of 468 3460 89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe 84 PID 3460 wrote to memory of 468 3460 89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe 84 PID 468 wrote to memory of 3284 468 tmp.exe 85 PID 468 wrote to memory of 3284 468 tmp.exe 85 PID 468 wrote to memory of 3284 468 tmp.exe 85 PID 468 wrote to memory of 3284 468 tmp.exe 85 PID 468 wrote to memory of 3284 468 tmp.exe 85 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3284
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
509KB
MD541b66b1a8d604ea0fb82c870475d94de
SHA1cf0b8db17c1c4b5d522bdb57d4b01a33ea0960ee
SHA2568d977cd8dadb8c034768145ada24d3d99ff0b0cc8d72d54e048c4a63034e1f7b
SHA51218b834daad401c94a2edae77c0b02ce4326f160ec0b434ad7ce1475d85dbda1b9ee44036160cdcd3de28923b0e0d678ced589dc80c4bd5f7c3398dd64d19b5ff