Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/12/2024, 13:37

General

  • Target

    d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe

  • Size

    294KB

  • MD5

    d74f54b77e0c4fed6b92e5c05a25894b

  • SHA1

    c1fe5e83e96b66a99283635a8680dc166848a74b

  • SHA256

    f1d856023c3980c83cc8e15bcb962db208ca8d7112c58b5e6df6279a36073a09

  • SHA512

    50172b652c7e5f5b851dbbc4ef4c9ca42770303d7e65575d35463ad7e80a1621def0e26e75977f7b460b4a79734e48d6f91b23ad3a1fe0ec6fa2b8417e562dc6

  • SSDEEP

    6144:vVrhP9RbTRXkqaSFJoFJX+TWgUW4iRLA3zm+2tfvCuZwo/Zk/6hFBR47396xrZk:LP/bT5kqa8MJOWCAYvThkR3oxrO

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d74f54b77e0c4fed6b92e5c05a25894b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Build.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\reg.exe
        Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.*
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2204
    • C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe
      "C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe"
      2⤵
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2904
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:2316

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Build.bat

      Filesize

      1KB

      MD5

      3f5b9f2b34b14f22b7775c2c0a91f1a2

      SHA1

      0297877c09e7761df5a5980bcaf1b0b0262709da

      SHA256

      cf63ce623bddd27c7b62a49aa40cd5a231fbdbde94405a8a10c13eb6a8b49ba8

      SHA512

      8e68daf530086151c0146d74da292d26ea15c67adfed763209ebb984c8b622008f721fe3e2d5ae8b1b599d57976319ee6f653589f50e0f97620b1baefeda69b1

    • C:\Users\Admin\AppData\Local\Temp\âûàûâ.exe

      Filesize

      401KB

      MD5

      4bc37f0a2f0920dbca852fedaf8eea47

      SHA1

      b65c15ea93416ddc135ec808e1b57bd1dd800459

      SHA256

      0cc0ff43a156227bdfba1d777cd8738021607c3ed8a330548c37ad26d63afa03

      SHA512

      b5ed2976bb6433fd1617dd8271871543e588c9562a341289d18eea010b1c285d1a4dcb303027ea0689ec7e1a8d5be9c85cd21b8ed764fe9040bf537582e9abcd

    • memory/2904-17-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

    • memory/2904-20-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

    • memory/2904-19-0x0000000000400000-0x000000000046B000-memory.dmp

      Filesize

      428KB