Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    136s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/11/2024, 05:29

General

  • Target

    89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe

  • Size

    521KB

  • MD5

    89d8eb69709a093a463be1b96a13c34c

  • SHA1

    0050623de9db92310232d016b7faf3ac4723682f

  • SHA256

    e2ea44103a510f3381b573b2082c029ca0e51411bf380c3fe02376c5114496e9

  • SHA512

    0a2c877c17ab9ef661cb3b5250bcc6a8daab0b4cc07ecf8b50acdac45aeda65dd7cc51453595b04181a7a29766b0f4b909a5adfa2918eb6907fb960ca636d670

  • SSDEEP

    12288:hNVmFGuqxGXElwkcR9himlNXDlvq28mnkRaoUa1jlojcnaz9y:hfuGGXEWkG5xvaR/Ua1Wjc

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\89d8eb69709a093a463be1b96a13c34c_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3460
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      C:\Users\Admin\AppData\Local\Temp\tmp.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        C:\Users\Admin\AppData\Local\Temp\tmp.exe
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3284
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe

    Filesize

    509KB

    MD5

    41b66b1a8d604ea0fb82c870475d94de

    SHA1

    cf0b8db17c1c4b5d522bdb57d4b01a33ea0960ee

    SHA256

    8d977cd8dadb8c034768145ada24d3d99ff0b0cc8d72d54e048c4a63034e1f7b

    SHA512

    18b834daad401c94a2edae77c0b02ce4326f160ec0b434ad7ce1475d85dbda1b9ee44036160cdcd3de28923b0e0d678ced589dc80c4bd5f7c3398dd64d19b5ff

  • memory/468-6-0x0000000000700000-0x0000000000701000-memory.dmp

    Filesize

    4KB

  • memory/468-10-0x0000000010000000-0x000000001008A000-memory.dmp

    Filesize

    552KB

  • memory/3284-7-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/3284-11-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/3284-12-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/3284-13-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

  • memory/3284-14-0x0000000000A80000-0x0000000000A81000-memory.dmp

    Filesize

    4KB

  • memory/3284-15-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB