Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
74s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2025, 14:30
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe
-
Size
1.6MB
-
MD5
10e64c93155b53a75226cdef3795c948
-
SHA1
e62a70fc0a3f6ae135be671f3d18645007f649bb
-
SHA256
4ba6491f8f01bc9a94782fcd0c55ccfbf48db0736d5b78677dc44e7dbb09cfa3
-
SHA512
e988a00cdbc2c730c8c5cb8be3f96ca6086d73bc5a4450025ad9e6d1d0a82bb6429ecddaa606a0a27db2d579f31553c651a37cabb7a3d40d02fc96427c4a986c
-
SSDEEP
24576:0Pl9cThaekv6ixQZYk1gnBgGXXwn3AY2LHAV3WJ9dYqFHkgoUgaf+RDofl+nTPRS:49dFv6btK/wn3TIrxFEpUMRZTZn1akIj
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader First Stage 11 IoCs
resource yara_rule behavioral2/memory/1196-458-0x0000000000400000-0x000000000075A000-memory.dmp modiloader_stage1 behavioral2/memory/1196-460-0x0000000000400000-0x000000000075A000-memory.dmp modiloader_stage1 behavioral2/memory/1196-461-0x0000000000400000-0x000000000075A000-memory.dmp modiloader_stage1 behavioral2/memory/1196-462-0x0000000000400000-0x000000000075A000-memory.dmp modiloader_stage1 behavioral2/memory/1196-463-0x0000000000400000-0x000000000075A000-memory.dmp modiloader_stage1 behavioral2/memory/1196-464-0x0000000000400000-0x000000000075A000-memory.dmp modiloader_stage1 behavioral2/memory/1196-465-0x0000000000400000-0x000000000075A000-memory.dmp modiloader_stage1 behavioral2/memory/1196-466-0x0000000000400000-0x000000000075A000-memory.dmp modiloader_stage1 behavioral2/memory/1196-467-0x0000000000400000-0x000000000075A000-memory.dmp modiloader_stage1 behavioral2/memory/1196-468-0x0000000000400000-0x000000000075A000-memory.dmp modiloader_stage1 behavioral2/memory/1196-469-0x0000000000400000-0x000000000075A000-memory.dmp modiloader_stage1 -
resource yara_rule behavioral2/files/0x0007000000023cd0-442.dat aspack_v212_v242 -
Executes dropped EXE 2 IoCs
pid Process 464 irsetup.exe 1196 freescan.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spyware Begone = "c:\\freescan\\freescan.exe -FastScan" freescan.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Spyware Begone Setup Log.txt irsetup.exe File created C:\Windows\iun6002.exe irsetup.exe File opened for modification C:\Windows\iun6002.exe irsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irsetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freescan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 1196 freescan.exe 1196 freescan.exe 1196 freescan.exe 1196 freescan.exe 1196 freescan.exe 1196 freescan.exe 1196 freescan.exe 1196 freescan.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 1196 freescan.exe 1196 freescan.exe 1196 freescan.exe 1196 freescan.exe 1196 freescan.exe 1196 freescan.exe 1196 freescan.exe 1196 freescan.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 464 irsetup.exe 464 irsetup.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 384 wrote to memory of 464 384 JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe 82 PID 384 wrote to memory of 464 384 JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe 82 PID 384 wrote to memory of 464 384 JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe 82 PID 464 wrote to memory of 1196 464 irsetup.exe 92 PID 464 wrote to memory of 1196 464 irsetup.exe 92 PID 464 wrote to memory of 1196 464 irsetup.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10e64c93155b53a75226cdef3795c948.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Local\Temp\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\irsetup.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\freescan\freescan.exec:\freescan\freescan.exe -ScanNow3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1196
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5e29a24e189e95681bb41f73c16747fd8
SHA1e9269bb9cb6f2b700fc78f92066f31b15a9c5c2a
SHA2563973d354045be781eabf9114772fe2e5e96d1e557793de10c914d901b16e8c09
SHA5124c6db25e04acb8349da29249f712b20c217d792e6d5fd40af9b398e2617d5168ef0afc2505a05b0833b90165d5e5eaf2e98d1821e855a99fc7833de52154ad94
-
Filesize
51KB
MD551010ac6ff61a48c3f48e857504e478d
SHA1b1789a2c52bdbe6872a529c8c5da749e9f7b0cd2
SHA256cc553ab0e18a34b2a31e70aa6941aebdba0aad9777264b78eb19637fe620a534
SHA512bacfa25f70c62918293247043f04a6164c2a9b6c957c70ef4e3a18d410de52a89f5e543c2461172e1944cb46020374b169e2052bc3777da38998cc3a802e865f
-
Filesize
7KB
MD520a73ae628bcafe88fc6237b7de507bb
SHA17850d4d3822ef271c71e72887b40e6e16d07806a
SHA256615387dce5431c84590407a192d7b99dc3a2ebc408df7b57796c9a5a33c572c3
SHA51232ef670258cf331c20c62caf54799ce1f9d490f7055886536c3a24e88e97f5953cc462d407e729a1ca0400e1bb8ca4d8408690a779666504e8dc6e9e784e5d20
-
Filesize
8KB
MD50cb093858fa18392ed7f9322a673dcff
SHA14737772cdd98c607401b3a0b8d943cb6743e3d5b
SHA256fe24fa086d6008d317a6eb24381cd99f8176dc6a7766a80870dfba1f0dfd3727
SHA512cbff96e5a5fa409664c07e1e4c7f91b243a030b522cb4e70e9d3ace17ec6bda82f22faa316ad7f7815f6225da99564a241c6e9e4450c54fd6a605465caa6859e
-
Filesize
720KB
MD5456462905091db042141487fe030e3c9
SHA1bb57b4850528c3c8d9bf159fb5b9f414ddc7d5d7
SHA256a93dc5e28d74ef40dd5d694aff7fb5f24c27dac4b59adae008cfdc5ca65587b0
SHA512fdd82c126189454352b44c756be06e3e93ee26a93b56d99c3eb5254cac3f6d6ed71556765b76e65bd75efad461972044ce829443c006fc0816a28f7b4493296f
-
Filesize
119B
MD55bd45c5633369a801d0d07af8a132187
SHA1a185d3e9dca39f4bb32c2bad9631d4f7e73adeff
SHA256bea06d66979361827a8b962738896d4614dfb55ab15a574c8d79fcc9d17eca6a
SHA51288ea75a675a3c87d26f6d337b9b60151ce45441d32c7688115bb9464fc75a6666360ebce944c5155fd4d123cb1a70be4eca16a2f1b2bccb593ca092e8e118912
-
Filesize
15KB
MD5cedffa2264d312a7ca515e64ff34b814
SHA13f2c492765f8e6f50ec8b0d3580a8b81f2fe108c
SHA256b13b8d36a80294fb22f2e166a307f6dab26cef2b7f4be3067571731d7cdf424a
SHA5123c42ba97bac9aefeec0c1190c9375893eafb8f230339b141a1fdacb51ff994f9d362988273a53144e689f90ef62dbee0a2063e49523d73ce55a6e72673f9b638
-
Filesize
969KB
MD5cfa6ca35aa751c07804503736d130528
SHA147cd7efdbd119ff40d9fa490635bed675d700074
SHA25681ee8c912de9feff626ca32036e4f943f1006982b76b69e676bd8a032ca8de7c
SHA512b6beae8d390d5b475f3a9b8bd12be4b87509d48a5d33a27ed081953be278922f44c789a91d54d70424c48fcdae8ff06488c09e02c056959b5d872d7503ea81b2
-
Filesize
9KB
MD5ee4be80440eaa8f349996456ec82bc3c
SHA19b6c0a72534a6820d42bad1619276d9a0b26376a
SHA2562248b93d8103a5d3c8cd99bc1292d1bad5b8a51554d946e07f7e2b3ce96292a1
SHA5121fa9e6e07e829fbba269a375f6b2baa58b38568b08925dec9f796428c10e09b5b3dacc4ab8cde66f865f5468de892c1d55ca57ee87c64fe74689a68aa5598165
-
Filesize
4KB
MD5faf5e6ebf0e9623a98e9c0a015c839d7
SHA1d29b885304523c53c5504093ea1bcad5830550ff
SHA256848b24b583fbf0b44cbb1cb29e03ca7f5eef5e1ac52abb5deeb0fc1f7d946cce
SHA512f05998b3396a001252712f80f6c93a6f51027f1601bcdcedfe07cf8db209997fa96cf78bb06bc464312f3e867d25f2384e4839af478a2c01a5ff23db2a3edef7
-
Filesize
215KB
MD574466221931cfb992633a52fa2aef259
SHA1bf4ca706ef5caede49e853c6185ce9cfeca78365
SHA25653a141902dbca169d6051527582e556183a93b32df571325268e123be818232e
SHA51212790b12d178f89f2bc888997fd25e762163129fa4f309aeb1d4ac4f9421f199a6d57a45840b80a287c0c35da3bea42940e26713af5a85f2879a12a6123f3c84
-
Filesize
8B
MD59682d296f78c0861fa45e2cc3405770f
SHA14706cb101aecb4fe1e286c421d7f40d57c9c8e81
SHA256b95267752446a4a6db9b67f6578ee926f126b56cdf2e47f25b4004cb1de13879
SHA512da3f4bb319cea53290db28f6706cc29347a07db91bb92d7133b6c01cf9ea69652d17128e228b0380278ed51abdd449588b247db88df89a3048cefb0e71911246