Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2024, 02:00
Behavioral task
behavioral1
Sample
d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe
-
Size
171KB
-
MD5
d023b9a1794027921c6f8b9dfc9afc49
-
SHA1
fa0e8e3ec2933eae7e4b84ad3f57ba6e842e9f60
-
SHA256
0ec6d1d92ab28d4c51093d763fbc421cd749bfbb238e7bd09cbad54abfe45d0a
-
SHA512
96a9e8b82f588edce8b5d1b7c513883415e6e700b953261d76c7c28e218df5abf755dec2aba7625f48b8c96a8f5dcb1c881b25ae6d0eca8abc7f23d3ccbcd725
-
SSDEEP
3072:UZOcXlWZvIyoNJxmaKrQUdM24BOcXlWZvIyoNJxmaKrQUxM24:QOceOHx6rQDzOceOHx6rQv
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/1040-36-0x0000000000400000-0x0000000000432000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe -
Executes dropped EXE 4 IoCs
pid Process 4952 sys.exe 2196 sys.exe 8 sys.exe 724 sys.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4952 set thread context of 2196 4952 sys.exe 84 PID 4952 set thread context of 0 4952 sys.exe PID 8 set thread context of 724 8 sys.exe 86 PID 8 set thread context of 0 8 sys.exe -
resource yara_rule behavioral2/files/0x000c000000023b2e-4.dat upx behavioral2/memory/4952-11-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/4952-20-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/files/0x000c000000023b2e-35.dat upx behavioral2/memory/8-46-0x0000000000400000-0x0000000000430000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sys.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2196 sys.exe 2196 sys.exe 2196 sys.exe 2196 sys.exe 724 sys.exe 724 sys.exe 724 sys.exe 724 sys.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4952 sys.exe 8 sys.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1040 wrote to memory of 4952 1040 d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe 83 PID 1040 wrote to memory of 4952 1040 d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe 83 PID 1040 wrote to memory of 4952 1040 d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe 83 PID 4952 wrote to memory of 2196 4952 sys.exe 84 PID 4952 wrote to memory of 2196 4952 sys.exe 84 PID 4952 wrote to memory of 2196 4952 sys.exe 84 PID 4952 wrote to memory of 2196 4952 sys.exe 84 PID 4952 wrote to memory of 2196 4952 sys.exe 84 PID 4952 wrote to memory of 2196 4952 sys.exe 84 PID 4952 wrote to memory of 2196 4952 sys.exe 84 PID 4952 wrote to memory of 0 4952 sys.exe PID 4952 wrote to memory of 0 4952 sys.exe PID 4952 wrote to memory of 0 4952 sys.exe PID 4952 wrote to memory of 0 4952 sys.exe PID 2196 wrote to memory of 3504 2196 sys.exe 56 PID 2196 wrote to memory of 3504 2196 sys.exe 56 PID 2196 wrote to memory of 3504 2196 sys.exe 56 PID 2196 wrote to memory of 3504 2196 sys.exe 56 PID 1040 wrote to memory of 8 1040 d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe 85 PID 1040 wrote to memory of 8 1040 d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe 85 PID 1040 wrote to memory of 8 1040 d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe 85 PID 8 wrote to memory of 724 8 sys.exe 86 PID 8 wrote to memory of 724 8 sys.exe 86 PID 8 wrote to memory of 724 8 sys.exe 86 PID 8 wrote to memory of 724 8 sys.exe 86 PID 8 wrote to memory of 724 8 sys.exe 86 PID 8 wrote to memory of 724 8 sys.exe 86 PID 8 wrote to memory of 724 8 sys.exe 86 PID 8 wrote to memory of 0 8 sys.exe PID 8 wrote to memory of 0 8 sys.exe PID 8 wrote to memory of 0 8 sys.exe PID 8 wrote to memory of 0 8 sys.exe PID 724 wrote to memory of 3504 724 sys.exe 56 PID 724 wrote to memory of 3504 724 sys.exe 56 PID 724 wrote to memory of 3504 724 sys.exe 56 PID 724 wrote to memory of 3504 724 sys.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d023b9a1794027921c6f8b9dfc9afc49_JaffaCakes118.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\sys.exe"C:\Users\Admin\AppData\Local\Temp\sys.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\sys.exe"C:\Users\Admin\AppData\Local\Temp\sys.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196
-
-
-
C:\Users\Admin\AppData\Local\Temp\sys.exe"C:\Users\Admin\AppData\Local\Temp\sys.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\sys.exe"C:\Users\Admin\AppData\Local\Temp\sys.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:724
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5f365930d84aa84aaf254a40fe2852ac6
SHA1ed63672e5364bd8a7eedd21d48ff2c7304ec502c
SHA256bb2d069adecdb05c683206376927bf8cd9633e49b1b620078f2cb015ac54d8bb
SHA51299b1c975c7d6a4e99f49bd51e6c6f9d5666526ee3ee846775565af9d620bbe849b307165065eba90ed834380be498f3f0e47a8fa26cc105ceb814e29c2d19672
-
Filesize
80KB
MD5715715237a0bfb04d226485f79893be0
SHA1bc6a1f5ad7d4e09491512b67cd01e6497125060f
SHA256209b2abaa0e7996a6be8f38f72b1aa16b84b1de86b8f80db33b718f607c8bf78
SHA512d3af21e34527a4ea0d866140f272c82184d962b6ad64383fde692df28c5a880ffad5c222d46de31dac838d0b79e10d7e7b8aaa0da0e64ced8834eb5ac6ec0927