Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
05/12/2024, 18:44
General
-
Target
c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe
-
Size
132KB
-
MD5
c8f43f03945d4acdb249b83d6d3fcd69
-
SHA1
3f5f4a3757dcc930a035cbbb220249f2a98e5bb8
-
SHA256
bc32a42d79f013887998f7da1c3039ea14d45dedd46c1a9656293e99af54fe5a
-
SHA512
8208f487d757f868bd3409a9534119c88bd0d8938cdbe4b7642e4d7c2524598d7fd4d6ad09667bb0f1a333c5aafd25874da3174be514a792d4702a8b1156093e
-
SSDEEP
3072:EUfrSzltkzP/1MS2RU4DvwOcY7ABfre2QglSvS332d:EqrSzSn1gU4Dr74enSGd
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 16 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\decrypted.exe"C:\Users\Admin\AppData\Local\Temp\decrypted.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\decrypted.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD5ff96661ce4bfdde3d810b1303cba897e
SHA188831b4278fcb858b3d75d6541d0cdbeb8042d63
SHA256e93bfdbaaebd5fbdba580d67472b2a2e25acfcf2a445a7e7944a4ef92e025fd6
SHA5121d9031c933069cb5eccb70f40dbb825aa1a426ca1ae4c98aa9ffe6efe00e8b69fee7098a248059d5bed4527fe61eeb8e8bcdf27b66dd5f31d6acd68d3638c8ca
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
320KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB