Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/12/2024, 12:09
Static task
static1
Behavioral task
behavioral1
Sample
d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe
-
Size
546KB
-
MD5
d98cf17a946979949dcdadf337a8cc38
-
SHA1
d47368e55eb7069b3a075ec0c5f17f4fc83c524b
-
SHA256
e54a56cb1bf8a5eba886cb79a4dc81763c62b187100af78124384d2c38e21691
-
SHA512
5d2eb0bba0613e1b5b244de6f4e2ec989bb26902d59daae611f2f1ff4046fd4f9bcb877b116094e7e3063af83bc78b08f19f580c99e3ca851a329c2b7d55fcab
-
SSDEEP
12288:fsja8ws/s7gg5fr74Sne8o0/eaTWCMHTV/XJ6RoPtCaCcbnpqhh:38Jg5D7JLrLaJ/XERoP+ctqhh
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/4236-14-0x0000000000770000-0x0000000000837000-memory.dmp modiloader_stage2 behavioral2/memory/4236-13-0x00000000005D0000-0x000000000069C000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 4236 Anti_AV v1.2.1_en.exe 2164 win32.exe 3352 win32.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Anti_AV v1.2.1_en.exe d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Ultimate AV Killer By Royal 07 10 07.bat d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\win32.exe d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3352 set thread context of 3444 3352 win32.exe 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4500 4236 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anti_AV v1.2.1_en.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID msinfo32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease msinfo32.exe -
Kills process with taskkill 1 IoCs
pid Process 2768 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2768 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1680 d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1680 wrote to memory of 4236 1680 d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe 84 PID 1680 wrote to memory of 4236 1680 d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe 84 PID 1680 wrote to memory of 4236 1680 d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe 84 PID 1680 wrote to memory of 4788 1680 d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe 86 PID 1680 wrote to memory of 4788 1680 d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe 86 PID 1680 wrote to memory of 4788 1680 d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe 86 PID 1680 wrote to memory of 2164 1680 d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe 88 PID 1680 wrote to memory of 2164 1680 d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe 88 PID 1680 wrote to memory of 2164 1680 d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe 88 PID 2164 wrote to memory of 3352 2164 win32.exe 89 PID 2164 wrote to memory of 3352 2164 win32.exe 89 PID 2164 wrote to memory of 3352 2164 win32.exe 89 PID 3352 wrote to memory of 3444 3352 win32.exe 56 PID 3352 wrote to memory of 3444 3352 win32.exe 56 PID 3352 wrote to memory of 3444 3352 win32.exe 56 PID 4788 wrote to memory of 2668 4788 cmd.exe 92 PID 4788 wrote to memory of 2668 4788 cmd.exe 92 PID 4788 wrote to memory of 2668 4788 cmd.exe 92 PID 4788 wrote to memory of 2768 4788 cmd.exe 94 PID 4788 wrote to memory of 2768 4788 cmd.exe 94 PID 4788 wrote to memory of 2768 4788 cmd.exe 94 PID 4788 wrote to memory of 1472 4788 cmd.exe 99 PID 4788 wrote to memory of 1472 4788 cmd.exe 99 PID 4788 wrote to memory of 1472 4788 cmd.exe 99
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Anti_AV v1.2.1_en.exe"C:\Windows\system32\Anti_AV v1.2.1_en.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 2644⤵
- Program crash
PID:4500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\system32\Ultimate AV Killer By Royal 07 10 07.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe4⤵
- System Location Discovery: System Language Discovery
PID:2668
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im avxnews.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\SysWOW64\msinfo32.exemsinfo32.exe4⤵
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:1472
-
-
-
C:\Windows\SysWOW64\win32.exe"C:\Windows\system32\win32.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\win32.exeStubPath4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3352
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4236 -ip 42361⤵PID:3540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD5875c6820aa8e7d391735b9904ed79f21
SHA1305d5a13771e73690eb79baed195e1300dc5f4c9
SHA256dd1dee80a74d2e9fc6b84253dded597344a35062d2f8ac22ca333220cd0d8e72
SHA512381c4929055394be163b0aa208619ca231cc5b4b6d35071afad8d7895dea59c2459c588449686d25632679ed953ea627e39fa49ed704ec17240d4c09150cf70d
-
Filesize
7KB
MD5bb0d0bd1cbf7986bff62501e57c9a451
SHA1bfc49cf9209a05596caf0d7f2c036c57d698c2e9
SHA2564016758d369a792cfaef957516f495a65ce78e4ad529b844678910d4c10cd802
SHA51251eb8910801896a7c8abf1e1adde2ba6fbed70a6ab0110c86190f4566d50d4b1ebcac4f6baddf1eab300139349f10064aefdd3a9fe2e7a97124e590c06e95c56
-
Filesize
7KB
MD569dd0d80e6e9df4e990712e373a95ba0
SHA18a9831bfb8eb9487f19ce9ddbaf56bf4eb3843ed
SHA25624f6e8d07dd5b3946e0095b1bdcfe6bc59066a766269320536ba60cc5ebb0529
SHA5124e98b7382da51c5dfef1fd2883a96edf4105ace69d6a4314e480ea13f12153277c474f22b343ac0b51a8da51e9bca4ffb433ec4fe0edc99e273a51f8dc052d0d