Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2024, 19:43
Behavioral task
behavioral1
Sample
d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe
-
Size
304KB
-
MD5
d34e00616f9435ea4230af0f02433e00
-
SHA1
84d3dcb08b90c308235cab9cd108197bafe24578
-
SHA256
d30ae0561d7bc2e97add3641d019ea2d4e005a194aa92779aac1fdc7ad85aa5c
-
SHA512
1565e181adb8fb67b09cf9f196283be7aa4e2d22272d267072112110178cd330c854bc6f99e940063774e49e90fc5c489488f0815cb13bc9b546b279e78f830c
-
SSDEEP
6144:p2LMosRplrZ4W6CqYKt6jw1j+oSnJTVxdSxoJIksI13t+R:oMowpVWWRFKueZSnJJfJHnS
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral2/memory/5068-34-0x0000000000400000-0x0000000000453000-memory.dmp modiloader_stage2 behavioral2/memory/2616-48-0x0000000000400000-0x00000000005BF000-memory.dmp modiloader_stage2 behavioral2/memory/2616-54-0x0000000000400000-0x00000000005BF000-memory.dmp modiloader_stage2 behavioral2/memory/2616-57-0x0000000000400000-0x00000000005BF000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2616 msnmsgr.exe 2320 ldapi32.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc msnmsgr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager msnmsgr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys msnmsgr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc msnmsgr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power msnmsgr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys msnmsgr.exe -
Loads dropped DLL 4 IoCs
pid Process 2616 msnmsgr.exe 2616 msnmsgr.exe 2616 msnmsgr.exe 2616 msnmsgr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmsgr = "C:\\Windows\\msnmsgr.exe" d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\ntswrl32.dll msnmsgr.exe File created C:\Windows\SysWOW64\ntcvx32.dll msnmsgr.exe File created C:\Windows\SysWOW64\ldapi32.exe msnmsgr.exe -
resource yara_rule behavioral2/files/0x000c000000023b2e-4.dat upx behavioral2/memory/2616-33-0x0000000000400000-0x00000000005BF000-memory.dmp upx behavioral2/memory/2616-48-0x0000000000400000-0x00000000005BF000-memory.dmp upx behavioral2/memory/2616-54-0x0000000000400000-0x00000000005BF000-memory.dmp upx behavioral2/memory/2616-57-0x0000000000400000-0x00000000005BF000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\msnmsgr.exe d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe File created C:\Windows\msnmsgr.exe d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ldapi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnmsgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2320 ldapi32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2616 msnmsgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5068 wrote to memory of 2616 5068 d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe 82 PID 5068 wrote to memory of 2616 5068 d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe 82 PID 5068 wrote to memory of 2616 5068 d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe 82 PID 2616 wrote to memory of 2320 2616 msnmsgr.exe 83 PID 2616 wrote to memory of 2320 2616 msnmsgr.exe 83 PID 2616 wrote to memory of 2320 2616 msnmsgr.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d34e00616f9435ea4230af0f02433e00_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\msnmsgr.exe"C:\Windows\msnmsgr.exe"2⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\ldapi32.exeC:\Windows\system32\ldapi32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD547d49db219a0a7b2b1ec8b9a357045d6
SHA1297ef13862b0aab027f56f0cb3e66abfd6261b2e
SHA256b9854ad352414803c704022b6cfd10b9911bb3353fca8077cc23aa89ebf4a994
SHA512dc9d0afa87f5d50a76beb157751a519676c8363b5c91c205d517219475ac0bb78c566a19bf4006946ee086ceae3574cfe0936d70bd41f465d547cf92bdf755e0
-
Filesize
11KB
MD5494dbaadd3f62ec0560cb911b1704486
SHA1f6302506396afd0d82b2571f68a3414bbb9633df
SHA256a06966bfe368d7740c162a295f5dbeade37f0e479273f4cc2b5f6205b4f7361f
SHA5123fd7535430c543ac4eb0da0e07c10cff0bca1f2f748e5ed386e4ff9769367a4e3b8ea79b591e26db5e3aef6df94bbc4fd34b57df1636f7e669965ebcf1e61dd0
-
Filesize
281KB
MD5b46792c856d70c617f22c28d9ab53f90
SHA15d987e455c70e80dba7003f329fa37e011608573
SHA256967a29663b44caa7cc11f1012211fbbb9fa2ffde72c3f0d57dad34a73ca12028
SHA51208a83cc0daf9f56e4783d7c1347db08d562dee4aa40eb9635007fb0a4a27e777ed28cab39b81693941db4925e72a9d8056dbe0da1c0b837ed04e836f6923669b