Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2024, 11:46

General

  • Target

    ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    ccd36a7a88b817167d87e8c321597f4e

  • SHA1

    a9cfeac34629b89cc1bd484ffa71e85141f54c4e

  • SHA256

    b23ef3c239b2296e7cf083b738a6fb7ad32c7125cccbf9c1b4b38bcb5ddad516

  • SHA512

    e176044f65c9288e008b3f8c0a1546b2c108b2be133209c84f1d402bb21db4793f5ed762a570ad16eadb2c99a7a8b7270487a46b5b7f793e0020946f1567bb49

  • SSDEEP

    49152:EhNDQ14n+tTb52LVucsFaBgv4TV6JzMsJIz2Ee08O3kp:yDQ14+52huX+oMbz33u

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modiloader family
  • ModiLoader Second Stage 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 11 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops autorun.inf file 1 TTPs 35 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ccd36a7a88b817167d87e8c321597f4e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\temp\tradd.exe
      "C:\temp\tradd.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\program files\internet explorer\IEXPLORE.EXE
        "C:\program files\internet explorer\IEXPLORE.EXE"
        3⤵
          PID:1344
      • C:\temp\trads.exe
        "C:\temp\trads.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Writes to the Master Boot Record (MBR)
        • Drops autorun.inf file
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\temp\CQ.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1272
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im qq.exe /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4892
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\temp\temp.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2284
          • C:\Windows\SysWOW64\cacls.exe
            cacls "C:\Program Files\Windows Media Player\0" /d everyone /e
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1660
        • C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\svchost.exe¡¡
          "C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\svchost.exe¡¡" pid 1692"C:\temp\trads.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4000
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 636
            4⤵
            • Program crash
            PID:2968
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 656
            4⤵
            • Program crash
            PID:4976
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3260
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4000 -ip 4000
      1⤵
        PID:1604
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4000 -ip 4000
        1⤵
          PID:4860

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Windows Media Player\autorun.inf\desktop.ini

          Filesize

          65B

          MD5

          ad0b0b4416f06af436328a3c12dc491b

          SHA1

          743c7ad130780de78ccbf75aa6f84298720ad3fa

          SHA256

          23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

          SHA512

          884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

        • C:\Users\Admin\AppData\Local\Temp\E_N4\Md5.fne

          Filesize

          28KB

          MD5

          992322b55f2684fe4c83b8e94dd54adb

          SHA1

          0990c5d0da44f3dfa45208c8d7d6ca27614dc165

          SHA256

          d3204ab23cfb93ec59c26624b46c436da7545bb91cbca0d9801b8e3ac0df3ead

          SHA512

          471ae13171f3f15f53126b04ada3157b4d194cec2d6b14502b1ea17962b163360f7e6a60187c1d15795c61955a64b19c1c68fcc5af6c7ee80ba3be6af1dcbf5b

        • C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

          Filesize

          332KB

          MD5

          3102c454a9543e58fe3ad5f783f5a690

          SHA1

          dc98fe9c47b1b4123ebe5e0132c0ba2d391570e9

          SHA256

          039670ca85824d4850e737a308aa8e628c83551a21711d549b17068fbdb2d9d9

          SHA512

          5b3218804054f0a3c24f3705c4902f333db0fc7b39aa81c2b71fefa0bc7d2a2ded14a13ab01ef3627889ff167ee7f565401ad0e5b5c9697d40f14f67228b9807

        • C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

          Filesize

          192KB

          MD5

          c1180974dd8a7c6d9f8fcc13096b4f7a

          SHA1

          9d50021334248bf0c752b3ed34deed48325da05c

          SHA256

          5b1ff0cabb2384f4b6385c1acce1d5e3a9d7b8e0403e2224cd1ab9722a599d3d

          SHA512

          c8b938bf172b9d2ccfaea34ff7cfddc9eaab8a9416a07e458bd34dfed2ea18de66d23dbaa9f15c2faf1009e00a8dfca3168ab41f02ef28e97c9197c3ca6943e9

        • C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

          Filesize

          1.0MB

          MD5

          4b30dbe1a79b2b7572ff637cb3765ced

          SHA1

          b08eba0e9bdb62d426db8d2b3d451152a56f79a1

          SHA256

          4208bdf90e97398a452d459d89562bda361bc6e911a385c4e31481a776f69e6d

          SHA512

          40e99c4a9d160a734a1675d75209dd88c7389c95cf0d0b6101f7e9edb2f3ebfe85e7170f0f4bae8a2e9533048bd5ecd414797b02ef257aecd90431f0c29ccfce

        • C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

          Filesize

          60KB

          MD5

          97d57d2e349f2afbe6c40baa679f6281

          SHA1

          e9ee8998a6cc9cbc109da0cf741d8803a3762a82

          SHA256

          944fa12ee12b4c008f6ea52cfd6e4b7ce1719a419fb77a65fd0c432160ecc699

          SHA512

          fc3149e1b49680bbb8346769d8cc1c4cecb035636464686412cd0242d6eb52316b171f8b15fed218ebe7850c84a2d4a134dbdb3693c5c369863aabaed66b9d88

        • C:\temp\CQ.bat

          Filesize

          30B

          MD5

          458d6a0f8398f6fa8bda7bb2ba5be353

          SHA1

          eec02a1cf5047cee3d4dee32ef13498c49a61154

          SHA256

          66142298d915314ddb48b417e96b48936e71a190d8f7cd8ae5a053cbe2746ddc

          SHA512

          c4fad6cafa4b17da18f5beceb65f91414c9fa0774c99caeadc87bc44f5faee6425208c78f6f111bec71b2e0cf58922c4bb62a0e3247b2af7699113a76c11c730

        • C:\temp\temp.bat

          Filesize

          72B

          MD5

          593ce3f439bb49aa3ef95af11b146c18

          SHA1

          1475674af547f66b3de40d5afde11fcb558a53eb

          SHA256

          886e68d9e6edb3b9ed472e9990fb9b0822c3be5e4cf6066af986edfac465546b

          SHA512

          76378b3017f75e0dbbf03a8bedf12b5b80c2d5da7a108ab7024acbbb7deac44ed16e054b53e86f9c8aef210f3a9cb3d1d39e43a698281b92149501c39d863349

        • C:\temp\tradd.exe

          Filesize

          689KB

          MD5

          86ef1f02e5ee0ea2e2c01459ba99309e

          SHA1

          234d98c53b1c82453437e032d3a300603e89f46d

          SHA256

          f8e7cee187a8d0fbe85a4eda5d0a04094342b66fbf402cce3aaa8273850b454b

          SHA512

          3407fe92e568c3ce6c7ea50a03d4e1029c5a23d30eeab912abc2e1593be4d1f076597df1d90d5b442b2165e261512f0260d8cea9527a67178f6182705e008cce

        • C:\temp\trads.exe

          Filesize

          797KB

          MD5

          19fa81d3334da1f3c3c38c1be26fed09

          SHA1

          bf1c12c63d2ed15732b30a913f8b8c082f4375ae

          SHA256

          130a1b2020219f829779c0f7c337fe2735848fa77da0783fdcb59aed57bff0c5

          SHA512

          04efec623a7fae6061142c234b32e3c45b5dd3b23ccce4c5e57cf3c87c77dcb74f0d26bc92a0050dfbf9e6785e0924a1a740afc539d5712c95280117105ab7a0

        • memory/1692-141-0x0000000000400000-0x000000000047223C-memory.dmp

          Filesize

          456KB

        • memory/1692-37-0x0000000000400000-0x000000000047223C-memory.dmp

          Filesize

          456KB

        • memory/1912-40-0x0000000002290000-0x0000000002291000-memory.dmp

          Filesize

          4KB

        • memory/1912-41-0x0000000000400000-0x00000000004C0000-memory.dmp

          Filesize

          768KB

        • memory/4000-136-0x0000000000400000-0x000000000047223C-memory.dmp

          Filesize

          456KB

        • memory/4000-133-0x0000000002150000-0x00000000021B3000-memory.dmp

          Filesize

          396KB

        • memory/4000-144-0x0000000000400000-0x000000000047223C-memory.dmp

          Filesize

          456KB

        • memory/4448-12-0x0000000002320000-0x0000000002335000-memory.dmp

          Filesize

          84KB

        • memory/4448-0-0x0000000000400000-0x0000000000582000-memory.dmp

          Filesize

          1.5MB

        • memory/4448-145-0x0000000000400000-0x0000000000582000-memory.dmp

          Filesize

          1.5MB