Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2024, 06:44
Static task
static1
Behavioral task
behavioral1
Sample
fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe
-
Size
174KB
-
MD5
fa81051829a3d385d98e67238af2565a
-
SHA1
341a494d1a82f9c6965c456495ff0c7429b8353d
-
SHA256
b5c96d6f5d3cf75e91f7b43166b86042b8951b75d5a9f3cd9642abee38776376
-
SHA512
8cf6daefe0326bdf920292883881d897d8cd6f92b8408793641713590058e1b06b9926d15cecdd8ea819932cd502ef938a3f119c8092cb8ba86938fd4333b1b0
-
SSDEEP
3072:T1Y/WrL2R2eR3qKmZCDO9r37AuIId0xtsH9wTrw/rOFoIC3Trw/rOFoICc:pY/Wr42eVq7Zn7HbnKTU/rMoJTU/rMoq
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 5 IoCs
resource yara_rule behavioral2/memory/4572-0-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 behavioral2/memory/4572-1-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 behavioral2/memory/4572-3-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 behavioral2/memory/4572-4-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 behavioral2/memory/4572-25-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3152 server.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3020 set thread context of 4572 3020 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3152 server.exe 3152 server.exe 3152 server.exe 3152 server.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3020 wrote to memory of 4572 3020 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 83 PID 3020 wrote to memory of 4572 3020 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 83 PID 3020 wrote to memory of 4572 3020 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 83 PID 3020 wrote to memory of 4572 3020 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 83 PID 3020 wrote to memory of 4572 3020 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 83 PID 4572 wrote to memory of 3152 4572 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 84 PID 4572 wrote to memory of 3152 4572 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 84 PID 4572 wrote to memory of 3152 4572 fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe 84 PID 3152 wrote to memory of 3568 3152 server.exe 56 PID 3152 wrote to memory of 3568 3152 server.exe 56 PID 3152 wrote to memory of 3568 3152 server.exe 56 PID 3152 wrote to memory of 3568 3152 server.exe 56 PID 3152 wrote to memory of 3568 3152 server.exe 56 PID 3152 wrote to memory of 3568 3152 server.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa81051829a3d385d98e67238af2565a_JaffaCakes118.exe"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5e278df043a74086cf5b16328f47ab25d
SHA1e67a644885cbdbb3740956fa2523ac7ef7da8165
SHA256a3797ecbb2bd4466de8c702f763f1e058303216bcb5135566a90dff6a1d2643a
SHA512404e1450094e751ad80b9e52d2feccc25fbb045b6bdd50e5438b4c4722fa61f2575703810ea019994ed833c5e09f93e6bd3f533e765a359de7543de5c15a8e89
-
Filesize
28KB
MD5723fc73467d4c8e79f615bb510d2ce1d
SHA119ea3c5221b035643cba3844c2a41edaa03eb87a
SHA256063481090a49a80feed9c88f8ca62f7f6919fff2adea4309323fdeb3d79f3ddd
SHA512e0acec47316335264bbf7f020f05784d3ac3cb6765cfda812df0c5a991575a38992333c5e74d43bbb69a0f6275777a9deadbcb4464704b9e6aa1ca39acc03b22