Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

JaffaCakes...45.exe

windows7-x64

10

JaffaCakes...45.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/01/2025, 07:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_638103a9e0df16b472635ee8de8ef945.exe

  • Size

    349KB

  • MD5

    638103a9e0df16b472635ee8de8ef945

  • SHA1

    418c9c86434ce0082308030187d89b5ac29e672c

  • SHA256

    b864428cd9571ddfe0f19df545566c215fe8807ce30f6ca0ff0505b63e79daa2

  • SHA512

    0100b5f634de52b6ccf356610984e65fbbc786727063efda12e8c55c184e066f4e763812fcb10a9ddce666aeec16d288ea7fd340b75a7399b61fab841c4d8ed8

  • SSDEEP

    6144:OAMj7UGSaJxF+hzzyymJopApGSb9SMwm2tVV1d2QSJbAr:PMXmaJfemJopKNAVXd2QSJM

Score
10/10
modiloaderdiscoverytrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 11 IoCs
  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 21 IoCs
  • Drops file in System32 directory 22 IoCs
  • Suspicious use of SetThreadContext 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638103a9e0df16b472635ee8de8ef945.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638103a9e0df16b472635ee8de8ef945.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638103a9e0df16b472635ee8de8ef945.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638103a9e0df16b472635ee8de8ef945.exe
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\Keygen.exe
        C:\Windows\system32\Keygen.exe 468 "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638103a9e0df16b472635ee8de8ef945.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1884
        • C:\Windows\SysWOW64\Keygen.exe
          C:\Windows\SysWOW64\Keygen.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:264
          • C:\Windows\SysWOW64\Keygen.exe
            C:\Windows\system32\Keygen.exe 524 "C:\Windows\SysWOW64\Keygen.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2464
            • C:\Windows\SysWOW64\Keygen.exe
              C:\Windows\SysWOW64\Keygen.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2936
              • C:\Windows\SysWOW64\Keygen.exe
                C:\Windows\system32\Keygen.exe 524 "C:\Windows\SysWOW64\Keygen.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2696
                • C:\Windows\SysWOW64\Keygen.exe
                  C:\Windows\SysWOW64\Keygen.exe
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2116
                  • C:\Windows\SysWOW64\Keygen.exe
                    C:\Windows\system32\Keygen.exe 524 "C:\Windows\SysWOW64\Keygen.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1684
                    • C:\Windows\SysWOW64\Keygen.exe
                      C:\Windows\SysWOW64\Keygen.exe
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:3020
                      • C:\Windows\SysWOW64\Keygen.exe
                        C:\Windows\system32\Keygen.exe 524 "C:\Windows\SysWOW64\Keygen.exe"
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:2860
                        • C:\Windows\SysWOW64\Keygen.exe
                          C:\Windows\SysWOW64\Keygen.exe
                          12⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:2980
                          • C:\Windows\SysWOW64\Keygen.exe
                            C:\Windows\system32\Keygen.exe 524 "C:\Windows\SysWOW64\Keygen.exe"
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:1764
                            • C:\Windows\SysWOW64\Keygen.exe
                              C:\Windows\SysWOW64\Keygen.exe
                              14⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              PID:2260
                              • C:\Windows\SysWOW64\Keygen.exe
                                C:\Windows\system32\Keygen.exe 524 "C:\Windows\SysWOW64\Keygen.exe"
                                15⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:2816
                                • C:\Windows\SysWOW64\Keygen.exe
                                  C:\Windows\SysWOW64\Keygen.exe
                                  16⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  PID:448
                                  • C:\Windows\SysWOW64\Keygen.exe
                                    C:\Windows\system32\Keygen.exe 524 "C:\Windows\SysWOW64\Keygen.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • System Location Discovery: System Language Discovery
                                    PID:380
                                    • C:\Windows\SysWOW64\Keygen.exe
                                      C:\Windows\SysWOW64\Keygen.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      PID:2436
                                      • C:\Windows\SysWOW64\Keygen.exe
                                        C:\Windows\system32\Keygen.exe 524 "C:\Windows\SysWOW64\Keygen.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        • System Location Discovery: System Language Discovery
                                        PID:1644
                                        • C:\Windows\SysWOW64\Keygen.exe
                                          C:\Windows\SysWOW64\Keygen.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Drops file in System32 directory
                                          • System Location Discovery: System Language Discovery
                                          PID:2232
                                          • C:\Windows\SysWOW64\Keygen.exe
                                            C:\Windows\system32\Keygen.exe 524 "C:\Windows\SysWOW64\Keygen.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            PID:2456
                                            • C:\Windows\SysWOW64\Keygen.exe
                                              C:\Windows\SysWOW64\Keygen.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • System Location Discovery: System Language Discovery
                                              PID:536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\SysWOW64\Keygen.exe
    Filesize

    349KB

    MD5

    638103a9e0df16b472635ee8de8ef945

    SHA1

    418c9c86434ce0082308030187d89b5ac29e672c

    SHA256

    b864428cd9571ddfe0f19df545566c215fe8807ce30f6ca0ff0505b63e79daa2

    SHA512

    0100b5f634de52b6ccf356610984e65fbbc786727063efda12e8c55c184e066f4e763812fcb10a9ddce666aeec16d288ea7fd340b75a7399b61fab841c4d8ed8

    Download Submit

  • memory/264-31-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

    Download

  • memory/264-29-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

    Download

  • memory/380-103-0x0000000000010000-0x000000000006D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/1644-114-0x0000000000010000-0x000000000006D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/1684-63-0x0000000000010000-0x000000000006D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/1764-83-0x0000000000010000-0x000000000006D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/1884-27-0x0000000000010000-0x000000000006D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2196-6-0x0000000000010000-0x000000000006D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2208-0-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

    Download

  • memory/2208-4-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

    Download

  • memory/2208-8-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

    Download

  • memory/2208-30-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

    Download

  • memory/2208-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2208-7-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

    Download

  • memory/2464-40-0x0000000000010000-0x000000000006D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2696-54-0x0000000000010000-0x000000000006D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2816-94-0x0000000000010000-0x000000000006D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2860-74-0x0000000000010000-0x000000000006D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2936-43-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

    Download

  • memory/2936-44-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.