Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2024, 22:04
Behavioral task
behavioral1
Sample
e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
e36b5ca136805c9b6ca817be8e864d76
-
SHA1
c82fc61efe4f53197f8b706abdcbdf30cdfafe1f
-
SHA256
41431474bc761c28c6d6a1d903b3fb523c8d383032b2d10cf74df0d20229cf3d
-
SHA512
d35210836168cc3862e1d0717564c078bbac5bd182cf5a8c9465764d6e47345333210329e8b0ac7d7d3a39e967d8da491a7fa655bafb9250d59e092a93366fa5
-
SSDEEP
24576:5SVjJXq5R8zVifDiUfLSNZy1pWF/qyNGwWv0OT:eJXq5RXuNZSa/zNGwW5T
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msgms.exe -
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral2/memory/4988-0-0x0000000000400000-0x0000000000555000-memory.dmp modiloader_stage2 behavioral2/files/0x000400000001db44-6.dat modiloader_stage2 behavioral2/memory/4988-12-0x0000000000400000-0x0000000000555000-memory.dmp modiloader_stage2 behavioral2/memory/3992-29-0x0000000000400000-0x0000000000555000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 3992 msgms.exe -
Executes dropped EXE 1 IoCs
pid Process 3992 msgms.exe -
Loads dropped DLL 4 IoCs
pid Process 3992 msgms.exe 3992 msgms.exe 3992 msgms.exe 3992 msgms.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msgms.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msgms.exe -
resource yara_rule behavioral2/memory/4988-0-0x0000000000400000-0x0000000000555000-memory.dmp upx behavioral2/files/0x000400000001db44-6.dat upx behavioral2/memory/4988-12-0x0000000000400000-0x0000000000555000-memory.dmp upx behavioral2/memory/3992-29-0x0000000000400000-0x0000000000555000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\msgms.exe e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe File opened for modification C:\Windows\msgms.exe e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe File created C:\Windows\olecstp.dll msgms.exe File created C:\Windows\oletac.dll msgms.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msgms.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4988 e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe Token: SeBackupPrivilege 1248 vssvc.exe Token: SeRestorePrivilege 1248 vssvc.exe Token: SeAuditPrivilege 1248 vssvc.exe Token: SeDebugPrivilege 3992 msgms.exe Token: SeDebugPrivilege 3992 msgms.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4988 e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3992 msgms.exe 3992 msgms.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4988 wrote to memory of 3992 4988 e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe 86 PID 4988 wrote to memory of 3992 4988 e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe 86 PID 4988 wrote to memory of 3992 4988 e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe 86 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msgms.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\msgms.exe"C:\Windows\msgms.exe" \erit "C:\Users\Admin\AppData\Local\Temp\e36b5ca136805c9b6ca817be8e864d76_JaffaCakes118.exe"2⤵
- UAC bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3992
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5e36b5ca136805c9b6ca817be8e864d76
SHA1c82fc61efe4f53197f8b706abdcbdf30cdfafe1f
SHA25641431474bc761c28c6d6a1d903b3fb523c8d383032b2d10cf74df0d20229cf3d
SHA512d35210836168cc3862e1d0717564c078bbac5bd182cf5a8c9465764d6e47345333210329e8b0ac7d7d3a39e967d8da491a7fa655bafb9250d59e092a93366fa5
-
Filesize
7KB
MD51dad779c593c4035cb561d169b6be16f
SHA165a0b1f1ac4370641d14e1ba5ccd876a30cba021
SHA2561270daf11f40457b84a183a0956ccb46433847040ddbd6ee3711785bc1cf8159
SHA512015c0205b626ed92c9e29e7cb09e3efdfd992e119acd30e6070bc63361187280b30241ec1e7da5c02b7f42562c7e2ec836d7355ad459c22880081f4764f3c642
-
Filesize
33KB
MD555363ca71ba35507820a94732c84f170
SHA134a5eba0997b78788604f72099caf2aa309d95fc
SHA2562b7b2093f36bafc75426a18b6b1d939e7c411ffe335474f09448f85ddf8916e9
SHA5122ab927dd0a22431ac245b7ee2e3d10cb49def38daf22712204f0f3b2b6dd3a00c4c331f10bac17b45c9fdaf276bf85c1d9852a5d623d243b886df214315ec13b