Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/12/2024, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe
-
Size
294KB
-
MD5
d74f54b77e0c4fed6b92e5c05a25894b
-
SHA1
c1fe5e83e96b66a99283635a8680dc166848a74b
-
SHA256
f1d856023c3980c83cc8e15bcb962db208ca8d7112c58b5e6df6279a36073a09
-
SHA512
50172b652c7e5f5b851dbbc4ef4c9ca42770303d7e65575d35463ad7e80a1621def0e26e75977f7b460b4a79734e48d6f91b23ad3a1fe0ec6fa2b8417e562dc6
-
SSDEEP
6144:vVrhP9RbTRXkqaSFJoFJX+TWgUW4iRLA3zm+2tfvCuZwo/Zk/6hFBR47396xrZk:LP/bT5kqa8MJOWCAYvThkR3oxrO
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/files/0x0008000000016cc5-14.dat modiloader_stage2 behavioral1/memory/2904-19-0x0000000000400000-0x000000000046B000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2904 âûàûâ.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc âûàûâ.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power âûàûâ.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend âûàûâ.exe -
Loads dropped DLL 1 IoCs
pid Process 1800 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\âûàûâ.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\âûàûâ.exe" âûàûâ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language âûàûâ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2204 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe 2904 âûàûâ.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2904 âûàûâ.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1800 wrote to memory of 1788 1800 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe 30 PID 1800 wrote to memory of 1788 1800 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe 30 PID 1800 wrote to memory of 1788 1800 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe 30 PID 1800 wrote to memory of 1788 1800 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe 30 PID 1800 wrote to memory of 2904 1800 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe 32 PID 1800 wrote to memory of 2904 1800 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe 32 PID 1800 wrote to memory of 2904 1800 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe 32 PID 1800 wrote to memory of 2904 1800 d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe 32 PID 1788 wrote to memory of 2204 1788 cmd.exe 33 PID 1788 wrote to memory of 2204 1788 cmd.exe 33 PID 1788 wrote to memory of 2204 1788 cmd.exe 33 PID 1788 wrote to memory of 2204 1788 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Build.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\reg.exeReg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.*3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2204
-
-
-
C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe"C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe"2⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2904
-
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53f5b9f2b34b14f22b7775c2c0a91f1a2
SHA10297877c09e7761df5a5980bcaf1b0b0262709da
SHA256cf63ce623bddd27c7b62a49aa40cd5a231fbdbde94405a8a10c13eb6a8b49ba8
SHA5128e68daf530086151c0146d74da292d26ea15c67adfed763209ebb984c8b622008f721fe3e2d5ae8b1b599d57976319ee6f653589f50e0f97620b1baefeda69b1
-
Filesize
401KB
MD54bc37f0a2f0920dbca852fedaf8eea47
SHA1b65c15ea93416ddc135ec808e1b57bd1dd800459
SHA2560cc0ff43a156227bdfba1d777cd8738021607c3ed8a330548c37ad26d63afa03
SHA512b5ed2976bb6433fd1617dd8271871543e588c9562a341289d18eea010b1c285d1a4dcb303027ea0689ec7e1a8d5be9c85cd21b8ed764fe9040bf537582e9abcd