Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    09/12/2024, 20:40

General

  • Target

    db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    db709ffca16b90369f0feadd92730fec

  • SHA1

    167dcea6800303f9ba2fd28d82fdecd3feb2d160

  • SHA256

    77c0e470dfc8b4234cb665773a97b9b98864e993acbac3de284ee474160f556f

  • SHA512

    cfb446da9657ac4615f632133310f1e5fe21fe6e6ea61987be581f122fe4181aa6985626333291f119adedfb76dfbacca1e063879686f3caf3be8e70b4f81bb2

  • SSDEEP

    49152:xdc6IDfhIOnpoDrwQs+bLc4SexDWDwRZuc2qdL3ejAq1n2:xdcLDfhI2sHs871xDWDAZOWajP12

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 3 IoCs
  • Drops startup file 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tanfchpy.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3E5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB3E4.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2320
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tanfchpy.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB50E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB50D.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2544
    • C:\Users\Admin\AppData\Roaming\728980.exe
      "C:\Users\Admin\AppData\Roaming\728980.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2832
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\\vbc.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Users\Admin\AppData\Roaming\AdobeART.exe
        "C:\Users\Admin\AppData\Roaming\AdobeART.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pcnekt_s.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9AE.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2448
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pcnekt_s.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9DD.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1804
        • C:\Users\Admin\AppData\Roaming\728980.exe
          "C:\Users\Admin\AppData\Roaming\728980.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1632
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\\vbc.exe"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:1736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB3E5.tmp

    Filesize

    1KB

    MD5

    fcd4889ac7350889661362092dcf9c6d

    SHA1

    d633795dfc45a58eb18eee67567b6a5f776d2475

    SHA256

    4aa763daab5fb42a88c870ceb9b0fb47dd9d74f180da007da65cb9c9c1afd20c

    SHA512

    3ef87d67bf9239c71d8fa32abe8e6a437a8b967512bb24735143095e1256bb76cb3697db73daca48fcdb4015d987418262d4e7dc4b7f8096dc5ef0ffc7c7a8e7

  • C:\Users\Admin\AppData\Local\Temp\RESB50E.tmp

    Filesize

    1KB

    MD5

    8521b77369bcba0c50d6f66435544bf9

    SHA1

    578e10132b322deb6c3a8126efb555537ce9b991

    SHA256

    09d2705ce98cfaf941b3d534bf93a4018474e223cd88bee743bf475ce4279378

    SHA512

    c0bbcc121075e7e624e43c3145579ff8e25af2ff5e0359859d895392a56f659f9fac89283eb0744350922f87f62646975a43d540e51f5ac2bb88efec300ee6a7

  • C:\Users\Admin\AppData\Local\Temp\RESB9AF.tmp

    Filesize

    1KB

    MD5

    75e6835e5a2a4aa7bed21f429e4d3fa2

    SHA1

    4c0448108215ae329f2304a7bfa10993b6618eb7

    SHA256

    f4ee6b98ea4cef8754c44572076313ba88b36d100a7e289de585404145b6aab7

    SHA512

    95d2a14c6436eb2b5ecf9682e3a9e8e94ce782a17c35b6a2d93a03c5cd20e3232cf1bc194d20f1c4d5aaee9394341edb1809e2f9c23823e1dca3589112de1450

  • C:\Users\Admin\AppData\Local\Temp\RESB9DE.tmp

    Filesize

    1KB

    MD5

    a933110444862f77f93a9ccf02595250

    SHA1

    6c4bb43d2f5a7f8cd4b9d46912995c81e761342d

    SHA256

    cb438e66f11a9eba37dbf255a2373cfeafc3ba992848cb08eb230111b810e6d5

    SHA512

    90717508941e102e34beaf6756bf4c3375fbe4b5b07407faad6c81f6c7202a7f3904fcd12aaf2a07b9465f9f848bb88628cf159cdc08d5e28414bc93ef3d540a

  • C:\Users\Admin\AppData\Local\Temp\pcnekt_s.0.vb

    Filesize

    1KB

    MD5

    a9bb5770de7370496452677485b77cbb

    SHA1

    29a772d4421fb589f8a533aa597977fde4f1fbec

    SHA256

    879a28ea7ec29b04a0ae573b500f811fcf9e1b7a5aab1b51dd337c3f38be7663

    SHA512

    2cb54f197dfd4fb6b389e2686968827676cd7e231248275fdd7a47501110635f2386997bba4b00955e2338430a84ce4670b77fc729411c14b752dcea6a8b3d38

  • C:\Users\Admin\AppData\Local\Temp\pcnekt_s.cmdline

    Filesize

    211B

    MD5

    9bd501c751d53e12807f602c2ae0a610

    SHA1

    fdf73168cf1e761c672df938b319a1384fa47034

    SHA256

    5e28fc52ebdda7d212f03e3d7e059445100beda62c1cc91b46ef41ae02d9687b

    SHA512

    648f2258b18afce6b5690dec209c7cc470184220aa1499021b3dba1bd5b510e5315de6109b4b05bf480a36de66226fec009e40d69ff1ffc489a68b0f9e62ea32

  • C:\Users\Admin\AppData\Local\Temp\tanfchpy.0.vb

    Filesize

    1KB

    MD5

    09dcad6325d92fe6121cbae669c3d2aa

    SHA1

    612df3b920a9d1991d7bd17c19dcdd123b125593

    SHA256

    0872ed2b530e444ece50b5eaed83829cbcc82f112e06677bdb354472425bd6a1

    SHA512

    abc8cd6eb6e79ed2da560997cc4219ffc7f6e322f90e65e11b44467a9c3f526643a4273fa806a6f274fe09d63d8ca6856c958b5ca5441e32f980462efbfa4dbb

  • C:\Users\Admin\AppData\Local\Temp\tanfchpy.cmdline

    Filesize

    211B

    MD5

    6cbcda4644e901443af4f62a6c781bf5

    SHA1

    2017f401582e1d5bd33437ae1d44ba6f5381d25c

    SHA256

    b0f38a9732afd6e8782c83fe5b7672c80c69e35722ddbd9203af3c424d775932

    SHA512

    2fb6f0e9aa83869784cdc2c00e41f2478b735d9e8a75c46ac08ffd4326eaed36cec982f34227b8e7006c368efdf8919af7060205a7ec8ed316b232a78e8d7168

  • C:\Users\Admin\AppData\Local\Temp\vbcB3E4.tmp

    Filesize

    940B

    MD5

    75189b4aad9a73d622481d4c815913fa

    SHA1

    0c7732c0981764b438958a2a025f0befbe2a8562

    SHA256

    dc7255857f258a57764b8d68318929d5f6540fb62ddd2b4e86937cff96385440

    SHA512

    84115e34f26f4b8fc1476d4ca7c8ddca1db4e864d04fc11fc123f4948a75c4c69697b9b43e8646011261f4460e1c5b1e714781e17cca3d68c1979932a63b074a

  • C:\Users\Admin\AppData\Roaming\728980.exe

    Filesize

    7KB

    MD5

    ef7a09dd9c6671b8de185f7aaa37bdaf

    SHA1

    7693ce1785d42c821956f6416330518a3a942b3d

    SHA256

    72c2c7589729bd9b11868bb37575acf6b23bfd1d122c035420715abe80a92594

    SHA512

    495e4959439584c612fed61372e9391c4b1304efe5ae99ea9d6329af533fc1582c4f973807a13b720c8024959907f67c4b4a817c244da002f480c8fac697cce4

  • C:\Users\Admin\AppData\Roaming\728980.exe

    Filesize

    7KB

    MD5

    d12886f4d7615b6fb4c8e0b16b5b5564

    SHA1

    c9f58362683e9d33ab179ea2b95152d8d3204e9e

    SHA256

    25dc4281d038a49b2faa54e7bcbdd4bfeb662caba5dca01543bf10ad40260a22

    SHA512

    a625909fae64b2de45733f7fba12bf60402a196acc0b9c7e0cfafa66652a7c8a83696e44975c256af685de9d5d46f54bf899efc99ec781b7285045ccfa75156b

  • C:\Users\Admin\AppData\Roaming\728980.exe

    Filesize

    7KB

    MD5

    bc9c5d650ae700bb57b901f4ac6b9ca2

    SHA1

    50222f16783f6678ee69eaab960782ebe2b699f5

    SHA256

    d321ac82807700e9152de46e3a80afe64e3a29feed55cc79a2ad7733c3b586ef

    SHA512

    e7f4fc4ce8e210ab4d0f06efb1f4085a2f2e309d35da79b7e1a5ced3398cbcf582f064487f696b5546bd4bb882064654c53b342f72c8c266614ea64f765c54b5

  • C:\Users\Admin\AppData\Roaming\728980.exe

    Filesize

    7KB

    MD5

    ff3d70c685ee9dfd182cb00876c1b86e

    SHA1

    38ff1330aeb515befc37bc838a1b69efc4723bc6

    SHA256

    307fbda9565da19286d2aba41230afaa68c6c33dc0c7de86cfb2afbc388a7480

    SHA512

    648ed7bcf8f8c585e9a74e3d1b00d3304ebb8a315e8f1bec0b6e9e43faa3389cf0a3e38bf4c509a23e13da2deec7d55340268df3750ae3b2daf8d7058648fa12

  • \Users\Admin\AppData\Roaming\AdobeART.exe

    Filesize

    2.0MB

    MD5

    db709ffca16b90369f0feadd92730fec

    SHA1

    167dcea6800303f9ba2fd28d82fdecd3feb2d160

    SHA256

    77c0e470dfc8b4234cb665773a97b9b98864e993acbac3de284ee474160f556f

    SHA512

    cfb446da9657ac4615f632133310f1e5fe21fe6e6ea61987be581f122fe4181aa6985626333291f119adedfb76dfbacca1e063879686f3caf3be8e70b4f81bb2

  • memory/772-2-0x0000000074C70000-0x000000007521B000-memory.dmp

    Filesize

    5.7MB

  • memory/772-1-0x0000000074C70000-0x000000007521B000-memory.dmp

    Filesize

    5.7MB

  • memory/772-46-0x0000000074C70000-0x000000007521B000-memory.dmp

    Filesize

    5.7MB

  • memory/772-0-0x0000000074C71000-0x0000000074C72000-memory.dmp

    Filesize

    4KB

  • memory/1736-97-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/1736-95-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/1736-92-0x0000000000030000-0x0000000000032000-memory.dmp

    Filesize

    8KB

  • memory/2208-7-0x0000000074C70000-0x000000007521B000-memory.dmp

    Filesize

    5.7MB

  • memory/2208-16-0x0000000074C70000-0x000000007521B000-memory.dmp

    Filesize

    5.7MB

  • memory/3008-37-0x0000000000030000-0x0000000000032000-memory.dmp

    Filesize

    8KB

  • memory/3008-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3008-40-0x0000000000030000-0x0000000000032000-memory.dmp

    Filesize

    8KB

  • memory/3008-45-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/3008-36-0x0000000000030000-0x0000000000032000-memory.dmp

    Filesize

    8KB