Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/12/2024, 12:09

General

  • Target

    d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe

  • Size

    546KB

  • MD5

    d98cf17a946979949dcdadf337a8cc38

  • SHA1

    d47368e55eb7069b3a075ec0c5f17f4fc83c524b

  • SHA256

    e54a56cb1bf8a5eba886cb79a4dc81763c62b187100af78124384d2c38e21691

  • SHA512

    5d2eb0bba0613e1b5b244de6f4e2ec989bb26902d59daae611f2f1ff4046fd4f9bcb877b116094e7e3063af83bc78b08f19f580c99e3ca851a329c2b7d55fcab

  • SSDEEP

    12288:fsja8ws/s7gg5fr74Sne8o0/eaTWCMHTV/XJ6RoPtCaCcbnpqhh:38Jg5D7JLrLaJ/XERoP+ctqhh

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\d98cf17a946979949dcdadf337a8cc38_JaffaCakes118.exe"
        2⤵
        • Checks computer location settings
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Windows\SysWOW64\Anti_AV v1.2.1_en.exe
          "C:\Windows\system32\Anti_AV v1.2.1_en.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4236
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 264
            4⤵
            • Program crash
            PID:4500
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\Ultimate AV Killer By Royal 07 10 07.bat" "
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4788
          • C:\Windows\SysWOW64\msiexec.exe
            msiexec.exe
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2668
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im avxnews.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2768
          • C:\Windows\SysWOW64\msinfo32.exe
            msinfo32.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Checks SCSI registry key(s)
            • Enumerates system info in registry
            PID:1472
        • C:\Windows\SysWOW64\win32.exe
          "C:\Windows\system32\win32.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2164
          • C:\Windows\SysWOW64\win32.exe
            StubPath
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3352
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4236 -ip 4236
      1⤵
        PID:3540

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\Anti_AV v1.2.1_en.exe

        Filesize

        416KB

        MD5

        875c6820aa8e7d391735b9904ed79f21

        SHA1

        305d5a13771e73690eb79baed195e1300dc5f4c9

        SHA256

        dd1dee80a74d2e9fc6b84253dded597344a35062d2f8ac22ca333220cd0d8e72

        SHA512

        381c4929055394be163b0aa208619ca231cc5b4b6d35071afad8d7895dea59c2459c588449686d25632679ed953ea627e39fa49ed704ec17240d4c09150cf70d

      • C:\Windows\SysWOW64\Ultimate AV Killer By Royal 07 10 07.bat

        Filesize

        7KB

        MD5

        bb0d0bd1cbf7986bff62501e57c9a451

        SHA1

        bfc49cf9209a05596caf0d7f2c036c57d698c2e9

        SHA256

        4016758d369a792cfaef957516f495a65ce78e4ad529b844678910d4c10cd802

        SHA512

        51eb8910801896a7c8abf1e1adde2ba6fbed70a6ab0110c86190f4566d50d4b1ebcac4f6baddf1eab300139349f10064aefdd3a9fe2e7a97124e590c06e95c56

      • C:\Windows\SysWOW64\win32.exe

        Filesize

        7KB

        MD5

        69dd0d80e6e9df4e990712e373a95ba0

        SHA1

        8a9831bfb8eb9487f19ce9ddbaf56bf4eb3843ed

        SHA256

        24f6e8d07dd5b3946e0095b1bdcfe6bc59066a766269320536ba60cc5ebb0529

        SHA512

        4e98b7382da51c5dfef1fd2883a96edf4105ace69d6a4314e480ea13f12153277c474f22b343ac0b51a8da51e9bca4ffb433ec4fe0edc99e273a51f8dc052d0d

      • memory/2164-24-0x0000000000400000-0x0000000000404000-memory.dmp

        Filesize

        16KB

      • memory/3352-25-0x0000000000400000-0x0000000000404000-memory.dmp

        Filesize

        16KB

      • memory/3352-26-0x0000000000400000-0x0000000000404000-memory.dmp

        Filesize

        16KB

      • memory/4236-14-0x0000000000770000-0x0000000000837000-memory.dmp

        Filesize

        796KB

      • memory/4236-13-0x00000000005D0000-0x000000000069C000-memory.dmp

        Filesize

        816KB