Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 18:44
Static task
static1
Behavioral task
behavioral1
Sample
c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe
-
Size
132KB
-
MD5
c8f43f03945d4acdb249b83d6d3fcd69
-
SHA1
3f5f4a3757dcc930a035cbbb220249f2a98e5bb8
-
SHA256
bc32a42d79f013887998f7da1c3039ea14d45dedd46c1a9656293e99af54fe5a
-
SHA512
8208f487d757f868bd3409a9534119c88bd0d8938cdbe4b7642e4d7c2524598d7fd4d6ad09667bb0f1a333c5aafd25874da3174be514a792d4702a8b1156093e
-
SSDEEP
3072:EUfrSzltkzP/1MS2RU4DvwOcY7ABfre2QglSvS332d:EqrSzSn1gU4Dr74enSGd
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 16 IoCs
resource yara_rule behavioral1/memory/1688-25-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-31-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-34-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-35-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-38-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-41-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-44-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-48-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-51-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-54-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-57-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-60-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-63-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-66-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-69-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2252-72-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 1688 decrypted.exe 2252 mstwain32.exe -
Loads dropped DLL 3 IoCs
pid Process 2064 c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe 2064 c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe 1688 decrypted.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA decrypted.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
resource yara_rule behavioral1/files/0x000c00000001202c-4.dat upx behavioral1/memory/1688-11-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1688-25-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-31-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-34-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-35-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-38-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-41-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-44-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-48-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-51-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-54-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-57-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-60-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-63-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-66-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-69-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2252-72-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\mstwain32.exe decrypted.exe File opened for modification C:\Windows\mstwain32.exe decrypted.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language decrypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1688 decrypted.exe Token: SeBackupPrivilege 2368 vssvc.exe Token: SeRestorePrivilege 2368 vssvc.exe Token: SeAuditPrivilege 2368 vssvc.exe Token: SeDebugPrivilege 2252 mstwain32.exe Token: SeDebugPrivilege 2252 mstwain32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2064 c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe 2252 mstwain32.exe 2252 mstwain32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2064 wrote to memory of 1688 2064 c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe 30 PID 2064 wrote to memory of 1688 2064 c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe 30 PID 2064 wrote to memory of 1688 2064 c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe 30 PID 2064 wrote to memory of 1688 2064 c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe 30 PID 1688 wrote to memory of 2252 1688 decrypted.exe 35 PID 1688 wrote to memory of 2252 1688 decrypted.exe 35 PID 1688 wrote to memory of 2252 1688 decrypted.exe 35 PID 1688 wrote to memory of 2252 1688 decrypted.exe 35 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c8f43f03945d4acdb249b83d6d3fcd69_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\decrypted.exe"C:\Users\Admin\AppData\Local\Temp\decrypted.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\decrypted.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2252
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD5ff96661ce4bfdde3d810b1303cba897e
SHA188831b4278fcb858b3d75d6541d0cdbeb8042d63
SHA256e93bfdbaaebd5fbdba580d67472b2a2e25acfcf2a445a7e7944a4ef92e025fd6
SHA5121d9031c933069cb5eccb70f40dbb825aa1a426ca1ae4c98aa9ffe6efe00e8b69fee7098a248059d5bed4527fe61eeb8e8bcdf27b66dd5f31d6acd68d3638c8ca