Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/12/2024, 20:56
Behavioral task
behavioral1
Sample
e83db1a7869c9e87b33736875765ab7a_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
e83db1a7869c9e87b33736875765ab7a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e83db1a7869c9e87b33736875765ab7a_JaffaCakes118.exe
-
Size
98KB
-
MD5
e83db1a7869c9e87b33736875765ab7a
-
SHA1
539fac361eaeed508d7cf0b18915c54e77f001be
-
SHA256
09ab96f15eb667dde711f954851b1c5e322a5b11b43f2e61ccaf0ddd16512ade
-
SHA512
e355a1c58332d1fde97a568bf7cbb61e43c2f58eed914e417ac9174df12829bbc2e8fea6a6c61d87f56b59821d36f2225c98e0ce6a37605d5560f46dd6a1c124
-
SSDEEP
3072:P3qu2iVSI/u6Viw0fkJBIcp3wL4HFjL5ai:X1AImQiZfkJBry4BL
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2440-7-0x0000000000010000-0x0000000000036000-memory.dmp modiloader_stage2 behavioral1/memory/2120-11-0x0000000000010000-0x0000000000036000-memory.dmp modiloader_stage2 behavioral1/memory/2120-9-0x0000000000010000-0x0000000000036000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2120 apocalyps32.exe -
resource yara_rule behavioral1/memory/2440-0-0x0000000000010000-0x0000000000036000-memory.dmp upx behavioral1/memory/2440-7-0x0000000000010000-0x0000000000036000-memory.dmp upx behavioral1/files/0x000e00000001202c-8.dat upx behavioral1/memory/2120-11-0x0000000000010000-0x0000000000036000-memory.dmp upx behavioral1/memory/2120-9-0x0000000000010000-0x0000000000036000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\apocalyps32.exe e83db1a7869c9e87b33736875765ab7a_JaffaCakes118.exe File opened for modification C:\Windows\apocalyps32.exe e83db1a7869c9e87b33736875765ab7a_JaffaCakes118.exe File created C:\Windows\apocalyps32.exe apocalyps32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e83db1a7869c9e87b33736875765ab7a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apocalyps32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2120 2440 e83db1a7869c9e87b33736875765ab7a_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2120 2440 e83db1a7869c9e87b33736875765ab7a_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2120 2440 e83db1a7869c9e87b33736875765ab7a_JaffaCakes118.exe 30 PID 2440 wrote to memory of 2120 2440 e83db1a7869c9e87b33736875765ab7a_JaffaCakes118.exe 30 PID 2120 wrote to memory of 1940 2120 apocalyps32.exe 31 PID 2120 wrote to memory of 1940 2120 apocalyps32.exe 31 PID 2120 wrote to memory of 1940 2120 apocalyps32.exe 31 PID 2120 wrote to memory of 1940 2120 apocalyps32.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e83db1a7869c9e87b33736875765ab7a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e83db1a7869c9e87b33736875765ab7a_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\apocalyps32.exe-bs2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Program Files\Internet Explorer\iexplore.exe-bs3⤵PID:1940
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD5e83db1a7869c9e87b33736875765ab7a
SHA1539fac361eaeed508d7cf0b18915c54e77f001be
SHA25609ab96f15eb667dde711f954851b1c5e322a5b11b43f2e61ccaf0ddd16512ade
SHA512e355a1c58332d1fde97a568bf7cbb61e43c2f58eed914e417ac9174df12829bbc2e8fea6a6c61d87f56b59821d36f2225c98e0ce6a37605d5560f46dd6a1c124