Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
7s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2024, 05:57
Behavioral task
behavioral1
Sample
e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe
-
Size
651KB
-
MD5
e027e31a159b5507f5a9377d2500ce2e
-
SHA1
a1fd538454fa5270d33343bff9fe0f17796ffc35
-
SHA256
ea836ef512beca63d1e1dc12b60ea8d57737ab3db3e1cb7d16209408ef7ccd65
-
SHA512
1e35e60d16359c7a792ceab9b2f2f3a4c4f6be589a83a4d922795ba7a8d8c593ae2f5735196539293786ec3864553801c23ad69026491aef74cd8931745afd8d
-
SSDEEP
12288:kpyZT1trCxu/mDwLRI6BxcDqp9aqCcajVuD3Z7BPQGMWYur0s0D:kUx1tjOD3SxcDDcNDqWYurL0
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 11 IoCs
resource yara_rule behavioral2/memory/2264-7-0x0000000000400000-0x0000000000507000-memory.dmp modiloader_stage2 behavioral2/memory/2264-6-0x0000000000400000-0x0000000000507000-memory.dmp modiloader_stage2 behavioral2/memory/1972-4-0x0000000000400000-0x000000000041C000-memory.dmp modiloader_stage2 behavioral2/files/0x0007000000023cbf-53.dat modiloader_stage2 behavioral2/memory/1152-61-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 behavioral2/memory/2264-62-0x0000000000400000-0x0000000000507000-memory.dmp modiloader_stage2 behavioral2/files/0x0007000000023cc1-65.dat modiloader_stage2 behavioral2/memory/2856-73-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 behavioral2/files/0x0007000000023cc4-71.dat modiloader_stage2 behavioral2/memory/652-83-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 behavioral2/memory/2264-123-0x0000000000400000-0x0000000000507000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 1820 dHY4IvP3.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2868 tasklist.exe 2976 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1972 set thread context of 2264 1972 e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe 84 -
resource yara_rule behavioral2/memory/2264-8-0x0000000000400000-0x0000000000507000-memory.dmp upx behavioral2/memory/2264-7-0x0000000000400000-0x0000000000507000-memory.dmp upx behavioral2/memory/2264-6-0x0000000000400000-0x0000000000507000-memory.dmp upx behavioral2/memory/2264-5-0x0000000000400000-0x0000000000507000-memory.dmp upx behavioral2/memory/2264-0-0x0000000000400000-0x0000000000507000-memory.dmp upx behavioral2/memory/2264-1-0x0000000000400000-0x0000000000507000-memory.dmp upx behavioral2/memory/2264-62-0x0000000000400000-0x0000000000507000-memory.dmp upx behavioral2/memory/3640-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3640-74-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3640-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3640-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1084-86-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/1084-87-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/1084-85-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/1084-80-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/1084-79-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral2/memory/3640-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2264-123-0x0000000000400000-0x0000000000507000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dHY4IvP3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1820 dHY4IvP3.exe 1820 dHY4IvP3.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2264 e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe 1820 dHY4IvP3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1972 wrote to memory of 2264 1972 e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe 84 PID 1972 wrote to memory of 2264 1972 e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe 84 PID 1972 wrote to memory of 2264 1972 e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe 84 PID 1972 wrote to memory of 2264 1972 e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe 84 PID 1972 wrote to memory of 2264 1972 e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe 84 PID 1972 wrote to memory of 2264 1972 e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe 84 PID 1972 wrote to memory of 2264 1972 e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe 84 PID 1972 wrote to memory of 2264 1972 e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe 84 PID 1972 wrote to memory of 2264 1972 e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe 84 PID 2264 wrote to memory of 1820 2264 e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe 85 PID 2264 wrote to memory of 1820 2264 e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe 85 PID 2264 wrote to memory of 1820 2264 e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exee027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\dHY4IvP3.exeC:\Users\Admin\dHY4IvP3.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1820 -
C:\Users\Admin\ziuoqat.exe"C:\Users\Admin\ziuoqat.exe"4⤵PID:4824
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del dHY4IvP3.exe4⤵PID:3976
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
PID:2976
-
-
-
-
C:\Users\Admin\azhost.exeC:\Users\Admin\azhost.exe3⤵PID:1152
-
C:\Users\Admin\azhost.exeazhost.exe4⤵PID:3540
-
-
-
C:\Users\Admin\bzhost.exeC:\Users\Admin\bzhost.exe3⤵PID:2856
-
C:\Users\Admin\bzhost.exebzhost.exe4⤵PID:3640
-
-
-
C:\Users\Admin\czhost.exeC:\Users\Admin\czhost.exe3⤵PID:652
-
C:\Users\Admin\czhost.execzhost.exe4⤵PID:1084
-
-
-
C:\Users\Admin\dzhost.exeC:\Users\Admin\dzhost.exe3⤵PID:2432
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:2824
-
-
-
C:\Users\Admin\ezhost.exeC:\Users\Admin\ezhost.exe3⤵PID:3032
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del e027e31a159b5507f5a9377d2500ce2e_JaffaCakes118.exe3⤵PID:548
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:2868
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD527ef898ce7ec9c0b79a6996a0b419de1
SHA14e8aed756fbc6133af13028c33366d2eaa43f954
SHA256f08df8dd8e3fe3de4a1ba4ba3bd355a233cf7febd5917b982ec5a949726c36a6
SHA5125c7fa67e7ed1e8ce238e58f0b55618d1fc13af4e19d9267f6e88e277beb2f10e6c0f0027a532a2d1d4b6e40da1b31dfcacf50ccb71a75dc231ff876869b6787a
-
Filesize
138KB
MD54e22775699416e81275fea3266e14bba
SHA132cc2479a30abd1b40b3b7e959ac32317fa124fd
SHA25695dc812e94d5ba0842af45685ca7262b55607336fcf4becda83dbb6416beffa9
SHA51234b13e9142a9c4251c78d876f02f9e86f22253950d3f9126dacd8ec6f0f3bbd36146381ce16b130d794c4bbc1ba08aa4df8e2e7af0c3900035d486242c81e3bf
-
Filesize
96KB
MD5fb7e8882346223dfbad778b5a7f74f32
SHA18285032fbab2f9f52533657d46df457ab64d0e15
SHA2566d6fa60b26cd2fc87c94afb20e7f3b35d6eca76d5a46191b8df802d30d4cbc3e
SHA51231e3963dd156da4a57b3ffd37b857ee1d433c61dc22eb56356f2171b282f3735a1c31d65b3a0b431151b55bfebf964f82c5aa13a12f1c2a8a580840a7ea5da32
-
Filesize
288KB
MD5e2a16fca33158332dbb3c66021fe8e3b
SHA19b784a05bf73e0bffbc2d6afe9acb4ca9d44a355
SHA25617b36341825621fdf4a959b52c510dbf1295e89d380499b2d02a87d76ed68a82
SHA5126ec42b9cbd79a0835abdb2e7e4484d143bea726d9d17929482d1efb16590d895bcbe24e7957dcfc26f093f7a6d1dc07644c649d5918227f101a2515dddb86550
-
Filesize
221KB
MD55b414fb77d0dbec97ee529ec0bbcbeaf
SHA1359cd24cd341f75eb46b99375824f6b649443f8e
SHA25662027b13d4918e5e644952c977960a5e6dfe241e2bb35b387de0bfd0b752e882
SHA512887b1b93e51d21927ffba49536f281003eef1dbee7634a08cab256f07701d54fe755acab7ae4a513c754067e4144c44c3580689ce187fd584ba440ab748a2360
-
Filesize
28KB
MD546ede15ce82c221c24bf81b2de1be7e8
SHA1c332a5ec7aeb213c13449626156f6623351a4393
SHA256a360c27de3799bf85f2501d4b375744394643fd50f8ecf5241d170b5cb7f6782
SHA512517f497a4783a0f67ccfca641d93b7f20505c89d6252229f5b97df674f7be20ae48d4732c137ba081c2c1f8ec712371fa4ba4602873e11c0e02b109a00b6c316
-
Filesize
288KB
MD5f3e39f8a1d361c1318782708d7b36a2a
SHA162bd505584b5446ba073a63233229ba501263ef9
SHA2566bf14663a661b786fe26a4ef03a1c898ab102460a21d7249080b9fa36091380e
SHA5124d1b1bc2415a9529a18ad33ac15d90aa68b41d1cc9cd844d8dddc65eaad8e51f86e52bc37e5115eeb8ee4bfe645d3bc3dda9c17799fe819f08efdb2a25ec21d8