Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10/12/2024, 19:18

General

  • Target

    de4647924f965d6eac627712b5135de9_JaffaCakes118.exe

  • Size

    373KB

  • MD5

    de4647924f965d6eac627712b5135de9

  • SHA1

    90af1a55a113ceb135a7b07de86820a2871e5804

  • SHA256

    b1925f44345d9f742e63320c812839c5cf6f2938da0262b6e153bac22fefa5a2

  • SHA512

    66a35ec351de0de6b383b82be295b16ed1b3086300dc9c1d71d85ba7df455944b054c04ddc445ede2bd27cb92454717757ede54498c875fe0615ec7b1c1e5326

  • SSDEEP

    6144:0Vs61FDrfb139bFDMbtw7C6iKlve+eJq8pp3f/0RS2rmlcNMn9okhizy03y14:Unf13xFZ7OK1kq8bf/0RWCR3zy0C2

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modiloader family
  • ModiLoader Second Stage 15 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de4647924f965d6eac627712b5135de9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\de4647924f965d6eac627712b5135de9_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Users\Admin\AppData\Local\Temp\mod_sa_by_fyp.43.1.0_0.3e.exe
      "C:\Users\Admin\AppData\Local\Temp\mod_sa_by_fyp.43.1.0_0.3e.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Users\Admin\AppData\Local\winmouse.exe
        "C:\Users\Admin\AppData\Local\winmouse.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2692
    • C:\Users\Admin\AppData\Local\Temp\easy hack.exe
      "C:\Users\Admin\AppData\Local\Temp\easy hack.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\easy hack.exe

    Filesize

    351KB

    MD5

    8a269ea56f2753dcf4355c7092782986

    SHA1

    cb7a075ed9b8b4da0954dac23531d83da3789894

    SHA256

    956a24e3043659e90b070e53c19f1ea2077e3d5c08a37ed63682600db4430ebd

    SHA512

    ce6a306fda60676e0acc557a8693ad907c1f56db7cc29ea0c378593f5337b727b190cda47108bffcb2cf84ec5489816a4f582bf751c72de554ea93035d475ea7

  • \Users\Admin\AppData\Local\Temp\mod_sa_by_fyp.43.1.0_0.3e.exe

    Filesize

    17KB

    MD5

    cfcc4f645a5319a4699a625e05b1fc7e

    SHA1

    8e2519efd7669dfa4a03740cabe9b09e79a6382b

    SHA256

    78c76c6165021c2a6740cdddeabd67778565cd9e5627ab6c574c53c066ab3114

    SHA512

    51e484410fa5f563888aae506042326514dfeffe95c650526a4cae0817a98be9f140e89b7bb7826e1dfdecd2cf59fff12748eacef142dc4df0bbdcf46625a4d5

  • memory/2356-34-0x0000000000400000-0x0000000000532000-memory.dmp

    Filesize

    1.2MB

  • memory/2356-35-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

  • memory/2356-19-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

  • memory/2500-29-0x00000000004A0000-0x00000000004B4000-memory.dmp

    Filesize

    80KB

  • memory/2500-32-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2692-40-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2692-56-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2692-62-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2692-37-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2692-38-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2692-60-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2692-42-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2692-44-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2692-46-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2692-48-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2692-50-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2692-52-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2692-54-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2692-58-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2984-33-0x0000000003760000-0x0000000003892000-memory.dmp

    Filesize

    1.2MB

  • memory/2984-4-0x00000000021D0000-0x00000000021E4000-memory.dmp

    Filesize

    80KB

  • memory/2984-17-0x0000000003760000-0x0000000003892000-memory.dmp

    Filesize

    1.2MB