Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/12/2024, 17:55
Behavioral task
behavioral1
Sample
e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe
-
Size
967KB
-
MD5
e793e33cf97a0a04013f3f906c684aae
-
SHA1
2b2c2242402152586e0337f3cde3445ea5717d3a
-
SHA256
26c880377150c62f81d3bb30e26c78d2773cc314dd89b26fcdb666b168e99a1d
-
SHA512
439b51a51a511fb5c99db59c1d393671577434bc067960e396378f609b578c8f8f07fc47a94552edce7527e9aec0f401bc19ef98b58c135480f54fdf799106f0
-
SSDEEP
24576:7XqM+XKkCyE0W1bA74t1iKQXNX1UDrPboke+eWX:7aSEKQl0bc+X
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" orçamento grafiato_2binderinvasor.exe -
ModiLoader Second Stage 17 IoCs
resource yara_rule behavioral1/memory/2948-29-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-36-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-37-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-41-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-42-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-46-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-50-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-54-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-59-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-63-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-67-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-71-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-75-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-79-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-83-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-87-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 behavioral1/memory/2948-91-0x0000000000400000-0x0000000000451000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2948 orçamento grafiato_2binderinvasor.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe -
Loads dropped DLL 5 IoCs
pid Process 2096 e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe 2096 e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe 2948 orçamento grafiato_2binderinvasor.exe 2948 orçamento grafiato_2binderinvasor.exe 2616 DllHost.exe -
resource yara_rule behavioral1/memory/2096-0-0x0000000000400000-0x00000000004D0000-memory.dmp themida behavioral1/memory/2096-7-0x0000000000400000-0x00000000004D0000-memory.dmp themida behavioral1/memory/2096-23-0x0000000000400000-0x00000000004D0000-memory.dmp themida behavioral1/memory/2096-5-0x0000000000400000-0x00000000004D0000-memory.dmp themida behavioral1/memory/2096-4-0x0000000000400000-0x00000000004D0000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\orçamento grafiato_2binderinvasor.exe" orçamento grafiato_2binderinvasor.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA orçamento grafiato_2binderinvasor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" orçamento grafiato_2binderinvasor.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2096 e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2948-19-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/files/0x00080000000120ff-17.dat upx behavioral1/memory/2096-11-0x0000000004B60000-0x0000000004BB1000-memory.dmp upx behavioral1/memory/2948-29-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-36-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-37-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-41-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-42-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-46-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-50-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-54-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-59-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-63-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-67-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-71-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-75-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-79-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-83-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-87-0x0000000000400000-0x0000000000451000-memory.dmp upx behavioral1/memory/2948-91-0x0000000000400000-0x0000000000451000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language orçamento grafiato_2binderinvasor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2096 e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2948 orçamento grafiato_2binderinvasor.exe Token: SeBackupPrivilege 580 vssvc.exe Token: SeRestorePrivilege 580 vssvc.exe Token: SeAuditPrivilege 580 vssvc.exe Token: SeDebugPrivilege 2948 orçamento grafiato_2binderinvasor.exe Token: SeDebugPrivilege 2616 DllHost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2616 DllHost.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2096 e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe 2948 orçamento grafiato_2binderinvasor.exe 2948 orçamento grafiato_2binderinvasor.exe 2616 DllHost.exe 2616 DllHost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2948 2096 e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2948 2096 e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2948 2096 e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe 30 PID 2096 wrote to memory of 2948 2096 e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe 30 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" orçamento grafiato_2binderinvasor.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e793e33cf97a0a04013f3f906c684aae_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\orçamento grafiato_2binderinvasor.exe"C:\Users\Admin\AppData\Local\Temp\orçamento grafiato_2binderinvasor.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2948
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2616
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:580
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD52f459567b556dd35811970ff40eb3708
SHA1048d85f8c02e70a2b6475f5c94a901124d6e7cc0
SHA2564811e7b1a46d1a8484907c6c1cbd48b022e0e9a3e0f4640e1d12db16ad69bac6
SHA5128922f5fde10f4618af36b4d95b20b2f269fa7d1127ffd2c954ab89c1185372efa8b25c566288c10faa26fe4557f6ef61565451030377b74fdb55f73292046d30
-
Filesize
114KB
MD5104d3f3881f9cda7b3ed2124349db1a6
SHA16300bf6d32ec138b238dfb37f58d8bc8b5da4ffa
SHA2565a44d260cf159783a1415591836ce9b38d07d96fdff39b4f1ded8a84c81e115d
SHA512cc3706b70ea8d243cb21eac40a45447dda7d38bb0ac0841e87ac81fb0921d138a1ce645c9cdffb9e46c55e927abbf818dfac500babd18a7d9755a4f3b6dc04eb
-
Filesize
33KB
MD5a6dcaf0601e13ee98ab5a3dce6b14d57
SHA168503a12b6805edd70233cad81da11c1b9f3d016
SHA256c588e3cb09118416fc8b6b9544fd45e12249a18c06b2160889b3aac27b1743db
SHA512edfc3a715abc25c38b42e00ba2f176ca65e31b29881f48f5b604edd1dfd2dca609c7d7a40f7fadc7deb984a07188d57d227100e19b085fb11cb5bbf21f13ea47
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350