Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
09/12/2024, 20:40
Static task
static1
Behavioral task
behavioral1
Sample
db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
db709ffca16b90369f0feadd92730fec
-
SHA1
167dcea6800303f9ba2fd28d82fdecd3feb2d160
-
SHA256
77c0e470dfc8b4234cb665773a97b9b98864e993acbac3de284ee474160f556f
-
SHA512
cfb446da9657ac4615f632133310f1e5fe21fe6e6ea61987be581f122fe4181aa6985626333291f119adedfb76dfbacca1e063879686f3caf3be8e70b4f81bb2
-
SSDEEP
49152:xdc6IDfhIOnpoDrwQs+bLc4SexDWDwRZuc2qdL3ejAq1n2:xdcLDfhI2sHs871xDWDAZOWajP12
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/3008-45-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral1/memory/1736-95-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral1/memory/1736-97-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 728980.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdobeART.exe 728980.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdobeART.exe 728980.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 728980.exe -
Executes dropped EXE 3 IoCs
pid Process 2832 728980.exe 2852 AdobeART.exe 1632 728980.exe -
Loads dropped DLL 6 IoCs
pid Process 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 3008 vbc.exe 3008 vbc.exe 2852 AdobeART.exe 2852 AdobeART.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 772 set thread context of 3008 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 37 PID 2852 set thread context of 1736 2852 AdobeART.exe 46 -
resource yara_rule behavioral1/memory/3008-45-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/1736-95-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/1736-97-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdobeART.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 728980.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 728980.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe Token: SeDebugPrivilege 2852 AdobeART.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 772 wrote to memory of 2208 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 30 PID 772 wrote to memory of 2208 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 30 PID 772 wrote to memory of 2208 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 30 PID 772 wrote to memory of 2208 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 30 PID 2208 wrote to memory of 2320 2208 vbc.exe 32 PID 2208 wrote to memory of 2320 2208 vbc.exe 32 PID 2208 wrote to memory of 2320 2208 vbc.exe 32 PID 2208 wrote to memory of 2320 2208 vbc.exe 32 PID 772 wrote to memory of 2536 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 33 PID 772 wrote to memory of 2536 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 33 PID 772 wrote to memory of 2536 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 33 PID 772 wrote to memory of 2536 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 33 PID 2536 wrote to memory of 2544 2536 vbc.exe 35 PID 2536 wrote to memory of 2544 2536 vbc.exe 35 PID 2536 wrote to memory of 2544 2536 vbc.exe 35 PID 2536 wrote to memory of 2544 2536 vbc.exe 35 PID 772 wrote to memory of 2832 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 36 PID 772 wrote to memory of 2832 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 36 PID 772 wrote to memory of 2832 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 36 PID 772 wrote to memory of 2832 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 36 PID 772 wrote to memory of 3008 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 37 PID 772 wrote to memory of 3008 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 37 PID 772 wrote to memory of 3008 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 37 PID 772 wrote to memory of 3008 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 37 PID 772 wrote to memory of 3008 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 37 PID 772 wrote to memory of 3008 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 37 PID 772 wrote to memory of 3008 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 37 PID 772 wrote to memory of 3008 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 37 PID 772 wrote to memory of 3008 772 db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe 37 PID 3008 wrote to memory of 2852 3008 vbc.exe 38 PID 3008 wrote to memory of 2852 3008 vbc.exe 38 PID 3008 wrote to memory of 2852 3008 vbc.exe 38 PID 3008 wrote to memory of 2852 3008 vbc.exe 38 PID 2852 wrote to memory of 2752 2852 AdobeART.exe 39 PID 2852 wrote to memory of 2752 2852 AdobeART.exe 39 PID 2852 wrote to memory of 2752 2852 AdobeART.exe 39 PID 2852 wrote to memory of 2752 2852 AdobeART.exe 39 PID 2752 wrote to memory of 2448 2752 vbc.exe 41 PID 2752 wrote to memory of 2448 2752 vbc.exe 41 PID 2752 wrote to memory of 2448 2752 vbc.exe 41 PID 2752 wrote to memory of 2448 2752 vbc.exe 41 PID 2852 wrote to memory of 2008 2852 AdobeART.exe 42 PID 2852 wrote to memory of 2008 2852 AdobeART.exe 42 PID 2852 wrote to memory of 2008 2852 AdobeART.exe 42 PID 2852 wrote to memory of 2008 2852 AdobeART.exe 42 PID 2008 wrote to memory of 1804 2008 vbc.exe 44 PID 2008 wrote to memory of 1804 2008 vbc.exe 44 PID 2008 wrote to memory of 1804 2008 vbc.exe 44 PID 2008 wrote to memory of 1804 2008 vbc.exe 44 PID 2852 wrote to memory of 1632 2852 AdobeART.exe 45 PID 2852 wrote to memory of 1632 2852 AdobeART.exe 45 PID 2852 wrote to memory of 1632 2852 AdobeART.exe 45 PID 2852 wrote to memory of 1632 2852 AdobeART.exe 45 PID 2852 wrote to memory of 1736 2852 AdobeART.exe 46 PID 2852 wrote to memory of 1736 2852 AdobeART.exe 46 PID 2852 wrote to memory of 1736 2852 AdobeART.exe 46 PID 2852 wrote to memory of 1736 2852 AdobeART.exe 46 PID 2852 wrote to memory of 1736 2852 AdobeART.exe 46 PID 2852 wrote to memory of 1736 2852 AdobeART.exe 46 PID 2852 wrote to memory of 1736 2852 AdobeART.exe 46 PID 2852 wrote to memory of 1736 2852 AdobeART.exe 46 PID 2852 wrote to memory of 1736 2852 AdobeART.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\db709ffca16b90369f0feadd92730fec_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tanfchpy.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3E5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB3E4.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2320
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tanfchpy.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB50E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB50D.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
-
C:\Users\Admin\AppData\Roaming\728980.exe"C:\Users\Admin\AppData\Roaming\728980.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\vbc.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Roaming\AdobeART.exe"C:\Users\Admin\AppData\Roaming\AdobeART.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pcnekt_s.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9AF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9AE.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:2448
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pcnekt_s.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9DD.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:1804
-
-
-
C:\Users\Admin\AppData\Roaming\728980.exe"C:\Users\Admin\AppData\Roaming\728980.exe"4⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\vbc.exe"4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1736
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fcd4889ac7350889661362092dcf9c6d
SHA1d633795dfc45a58eb18eee67567b6a5f776d2475
SHA2564aa763daab5fb42a88c870ceb9b0fb47dd9d74f180da007da65cb9c9c1afd20c
SHA5123ef87d67bf9239c71d8fa32abe8e6a437a8b967512bb24735143095e1256bb76cb3697db73daca48fcdb4015d987418262d4e7dc4b7f8096dc5ef0ffc7c7a8e7
-
Filesize
1KB
MD58521b77369bcba0c50d6f66435544bf9
SHA1578e10132b322deb6c3a8126efb555537ce9b991
SHA25609d2705ce98cfaf941b3d534bf93a4018474e223cd88bee743bf475ce4279378
SHA512c0bbcc121075e7e624e43c3145579ff8e25af2ff5e0359859d895392a56f659f9fac89283eb0744350922f87f62646975a43d540e51f5ac2bb88efec300ee6a7
-
Filesize
1KB
MD575e6835e5a2a4aa7bed21f429e4d3fa2
SHA14c0448108215ae329f2304a7bfa10993b6618eb7
SHA256f4ee6b98ea4cef8754c44572076313ba88b36d100a7e289de585404145b6aab7
SHA51295d2a14c6436eb2b5ecf9682e3a9e8e94ce782a17c35b6a2d93a03c5cd20e3232cf1bc194d20f1c4d5aaee9394341edb1809e2f9c23823e1dca3589112de1450
-
Filesize
1KB
MD5a933110444862f77f93a9ccf02595250
SHA16c4bb43d2f5a7f8cd4b9d46912995c81e761342d
SHA256cb438e66f11a9eba37dbf255a2373cfeafc3ba992848cb08eb230111b810e6d5
SHA51290717508941e102e34beaf6756bf4c3375fbe4b5b07407faad6c81f6c7202a7f3904fcd12aaf2a07b9465f9f848bb88628cf159cdc08d5e28414bc93ef3d540a
-
Filesize
1KB
MD5a9bb5770de7370496452677485b77cbb
SHA129a772d4421fb589f8a533aa597977fde4f1fbec
SHA256879a28ea7ec29b04a0ae573b500f811fcf9e1b7a5aab1b51dd337c3f38be7663
SHA5122cb54f197dfd4fb6b389e2686968827676cd7e231248275fdd7a47501110635f2386997bba4b00955e2338430a84ce4670b77fc729411c14b752dcea6a8b3d38
-
Filesize
211B
MD59bd501c751d53e12807f602c2ae0a610
SHA1fdf73168cf1e761c672df938b319a1384fa47034
SHA2565e28fc52ebdda7d212f03e3d7e059445100beda62c1cc91b46ef41ae02d9687b
SHA512648f2258b18afce6b5690dec209c7cc470184220aa1499021b3dba1bd5b510e5315de6109b4b05bf480a36de66226fec009e40d69ff1ffc489a68b0f9e62ea32
-
Filesize
1KB
MD509dcad6325d92fe6121cbae669c3d2aa
SHA1612df3b920a9d1991d7bd17c19dcdd123b125593
SHA2560872ed2b530e444ece50b5eaed83829cbcc82f112e06677bdb354472425bd6a1
SHA512abc8cd6eb6e79ed2da560997cc4219ffc7f6e322f90e65e11b44467a9c3f526643a4273fa806a6f274fe09d63d8ca6856c958b5ca5441e32f980462efbfa4dbb
-
Filesize
211B
MD56cbcda4644e901443af4f62a6c781bf5
SHA12017f401582e1d5bd33437ae1d44ba6f5381d25c
SHA256b0f38a9732afd6e8782c83fe5b7672c80c69e35722ddbd9203af3c424d775932
SHA5122fb6f0e9aa83869784cdc2c00e41f2478b735d9e8a75c46ac08ffd4326eaed36cec982f34227b8e7006c368efdf8919af7060205a7ec8ed316b232a78e8d7168
-
Filesize
940B
MD575189b4aad9a73d622481d4c815913fa
SHA10c7732c0981764b438958a2a025f0befbe2a8562
SHA256dc7255857f258a57764b8d68318929d5f6540fb62ddd2b4e86937cff96385440
SHA51284115e34f26f4b8fc1476d4ca7c8ddca1db4e864d04fc11fc123f4948a75c4c69697b9b43e8646011261f4460e1c5b1e714781e17cca3d68c1979932a63b074a
-
Filesize
7KB
MD5ef7a09dd9c6671b8de185f7aaa37bdaf
SHA17693ce1785d42c821956f6416330518a3a942b3d
SHA25672c2c7589729bd9b11868bb37575acf6b23bfd1d122c035420715abe80a92594
SHA512495e4959439584c612fed61372e9391c4b1304efe5ae99ea9d6329af533fc1582c4f973807a13b720c8024959907f67c4b4a817c244da002f480c8fac697cce4
-
Filesize
7KB
MD5d12886f4d7615b6fb4c8e0b16b5b5564
SHA1c9f58362683e9d33ab179ea2b95152d8d3204e9e
SHA25625dc4281d038a49b2faa54e7bcbdd4bfeb662caba5dca01543bf10ad40260a22
SHA512a625909fae64b2de45733f7fba12bf60402a196acc0b9c7e0cfafa66652a7c8a83696e44975c256af685de9d5d46f54bf899efc99ec781b7285045ccfa75156b
-
Filesize
7KB
MD5bc9c5d650ae700bb57b901f4ac6b9ca2
SHA150222f16783f6678ee69eaab960782ebe2b699f5
SHA256d321ac82807700e9152de46e3a80afe64e3a29feed55cc79a2ad7733c3b586ef
SHA512e7f4fc4ce8e210ab4d0f06efb1f4085a2f2e309d35da79b7e1a5ced3398cbcf582f064487f696b5546bd4bb882064654c53b342f72c8c266614ea64f765c54b5
-
Filesize
7KB
MD5ff3d70c685ee9dfd182cb00876c1b86e
SHA138ff1330aeb515befc37bc838a1b69efc4723bc6
SHA256307fbda9565da19286d2aba41230afaa68c6c33dc0c7de86cfb2afbc388a7480
SHA512648ed7bcf8f8c585e9a74e3d1b00d3304ebb8a315e8f1bec0b6e9e43faa3389cf0a3e38bf4c509a23e13da2deec7d55340268df3750ae3b2daf8d7058648fa12
-
Filesize
2.0MB
MD5db709ffca16b90369f0feadd92730fec
SHA1167dcea6800303f9ba2fd28d82fdecd3feb2d160
SHA25677c0e470dfc8b4234cb665773a97b9b98864e993acbac3de284ee474160f556f
SHA512cfb446da9657ac4615f632133310f1e5fe21fe6e6ea61987be581f122fe4181aa6985626333291f119adedfb76dfbacca1e063879686f3caf3be8e70b4f81bb2