Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ca529b9a36...18.exe

windows7-x64

10

ca529b9a36...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2024, 01:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca529b9a36c74d66f877cf52addefab0_JaffaCakes118.exe

  • Size

    205KB

  • MD5

    ca529b9a36c74d66f877cf52addefab0

  • SHA1

    6e932f4e2f51fa351070cf0e2c426f930da7e19b

  • SHA256

    bb7552982ca26ee9cb795930acf815b60593d6705a5160c92de6f186dfef784a

  • SHA512

    25921db9d542af8caa62145d43e699c095f324a1020e5fe13943748f093d165240443e2520c5e5352a171697b60f0ca73be603430cee64c8c2db1df8d3dc0239

  • SSDEEP

    6144:GXkVBFAveiN7Za1NVGFdi7AEQGjCahwCrKoU:GXCYxZYsdGAHGj/XU

Score
10/10
modiloaderdiscoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 22 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca529b9a36c74d66f877cf52addefab0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ca529b9a36c74d66f877cf52addefab0_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Users\Admin\AppData\Local\Temp\ca529b9a36c74d66f877cf52addefab0_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ca529b9a36c74d66f877cf52addefab0_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3076
      • C:\Windows\mstwain32.exe
        "C:\Windows\mstwain32.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\Windows\mstwain32.exe
          "C:\Windows\mstwain32.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:2424
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:468

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    17.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    alexbucur2804.no-ip.org
    mstwain32.exe
    Remote address:
    8.8.8.8:53
    Request
    alexbucur2804.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    alexbucur2804.no-ip.org
    mstwain32.exe
    Remote address:
    8.8.8.8:53
    Request
    alexbucur2804.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    alexbucur2804.no-ip.org
    mstwain32.exe
    Remote address:
    8.8.8.8:53
    Request
    alexbucur2804.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    22.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    alexbucur2804.no-ip.org
    mstwain32.exe
    Remote address:
    8.8.8.8:53
    Request
    alexbucur2804.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    alexbucur2804.no-ip.org
    mstwain32.exe
    Remote address:
    8.8.8.8:53
    Request
    alexbucur2804.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    alexbucur2804.no-ip.org
    mstwain32.exe
    Remote address:
    8.8.8.8:53
    Request
    alexbucur2804.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    alexbucur2804.no-ip.org
    mstwain32.exe
    Remote address:
    8.8.8.8:53
    Request
    alexbucur2804.no-ip.org
    IN A
    Response
  • flag-us
    DNS
    alexbucur2804.no-ip.org
    mstwain32.exe
    Remote address:
    8.8.8.8:53
    Request
    alexbucur2804.no-ip.org
    IN A
    Response
No results found
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    133.130.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    133.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    17.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    17.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    alexbucur2804.no-ip.org
    dns
    mstwain32.exe
    69 B
     129 B
     1
    1

    DNS Request

    alexbucur2804.no-ip.org

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    alexbucur2804.no-ip.org
    dns
    mstwain32.exe
    69 B
     129 B
     1
    1

    DNS Request

    alexbucur2804.no-ip.org

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    alexbucur2804.no-ip.org
    dns
    mstwain32.exe
    69 B
     129 B
     1
    1

    DNS Request

    alexbucur2804.no-ip.org

  • 8.8.8.8:53
    22.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    22.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    alexbucur2804.no-ip.org
    dns
    mstwain32.exe
    69 B
     129 B
     1
    1

    DNS Request

    alexbucur2804.no-ip.org

  • 8.8.8.8:53
    alexbucur2804.no-ip.org
    dns
    mstwain32.exe
    69 B
     129 B
     1
    1

    DNS Request

    alexbucur2804.no-ip.org

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    alexbucur2804.no-ip.org
    dns
    mstwain32.exe
    69 B
     129 B
     1
    1

    DNS Request

    alexbucur2804.no-ip.org

  • 8.8.8.8:53
    alexbucur2804.no-ip.org
    dns
    mstwain32.exe
    69 B
     129 B
     1
    1

    DNS Request

    alexbucur2804.no-ip.org

  • 8.8.8.8:53
    alexbucur2804.no-ip.org
    dns
    mstwain32.exe
    69 B
     129 B
     1
    1

    DNS Request

    alexbucur2804.no-ip.org

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-493223053-2004649691-1575712786-1000\699c4b9cdebca7aaea5193cae8a50098_755b0f1a-bb38-4bb2-bc7e-240c892146ee
    Filesize

    50B

    MD5

    5b63d4dd8c04c88c0e30e494ec6a609a

    SHA1

    884d5a8bdc25fe794dc22ef9518009dcf0069d09

    SHA256

    4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

    SHA512

    15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

    Download Submit

  • C:\Windows\cmsetac.dll
    Filesize

    32KB

    MD5

    d4ec2ce3b40ff37e44b3400d98d520cd

    SHA1

    d3609c9e187e4d868806629cff79a8d02831bc17

    SHA256

    0ee80487165108540b6895f7f3fe1246c45019cba39abb848628e91e71107cae

    SHA512

    95d132f67f65d672f0301641595ac3079c8b334a9a85577416177722092690e97f03d1cb8d53ed996d6681c92b37a67b249ff10e987eb518e3def6ff75e7bc1a

    Download Submit

  • C:\Windows\mstwain32.exe
    Filesize

    205KB

    MD5

    ca529b9a36c74d66f877cf52addefab0

    SHA1

    6e932f4e2f51fa351070cf0e2c426f930da7e19b

    SHA256

    bb7552982ca26ee9cb795930acf815b60593d6705a5160c92de6f186dfef784a

    SHA512

    25921db9d542af8caa62145d43e699c095f324a1020e5fe13943748f093d165240443e2520c5e5352a171697b60f0ca73be603430cee64c8c2db1df8d3dc0239

    Download Submit

  • C:\Windows\ntdtcstp.dll
    Filesize

    7KB

    MD5

    67587e25a971a141628d7f07bd40ffa0

    SHA1

    76fcd014539a3bb247cc0b761225f68bd6055f6b

    SHA256

    e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

    SHA512

    6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

    Download Submit

  • memory/2424-47-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-69-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-87-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-84-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-31-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-32-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-33-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-34-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-81-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-78-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-44-0x0000000002350000-0x000000000235E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2424-46-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-75-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-50-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-49-0x0000000002350000-0x000000000235E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2424-48-0x0000000000970000-0x0000000000978000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2424-51-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-54-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-57-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-60-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-63-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-66-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-72-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3076-8-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3076-3-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3076-5-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3076-6-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3076-25-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3076-7-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.