Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 10:36
Behavioral task
behavioral1
Sample
JaffaCakes118_a77bddc23470b26fb82a457f6efe485b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_a77bddc23470b26fb82a457f6efe485b.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_a77bddc23470b26fb82a457f6efe485b.exe
-
Size
1.0MB
-
MD5
a77bddc23470b26fb82a457f6efe485b
-
SHA1
402f44eb3b3c6b4ba3f4ae0a9565393147294614
-
SHA256
71cef093daa652359ac1e230499f18ce635b72dab461cee8e7bd3e8f7329eb15
-
SHA512
4fe675d255c8c2f5627dacf0406becf3d9918e6999a4957c7b6d80be2d400f7724ec55b5a1628d02161f8290ab8a89624db56cb7247decc7278c49fba2557153
-
SSDEEP
24576:RyngFg9MVEQdB0Z/Ip/XBc950hpi2QiGB2bb2NLeOC5UhKgbc96x:hFlVlB0Z/IpPqvD2Mib2heOAU6g
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral1/memory/2240-14-0x0000000000400000-0x00000000005E7000-memory.dmp modiloader_stage2 behavioral1/memory/2404-25-0x0000000000400000-0x00000000005E7000-memory.dmp modiloader_stage2 behavioral1/memory/2240-28-0x0000000000400000-0x00000000005E7000-memory.dmp modiloader_stage2 behavioral1/memory/2404-29-0x0000000000400000-0x00000000005E7000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 2240 259441877.exe 2404 360se.exe -
Loads dropped DLL 2 IoCs
pid Process 2444 JaffaCakes118_a77bddc23470b26fb82a457f6efe485b.exe 2240 259441877.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2240 259441877.exe 2404 360se.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\360se.exe 259441877.exe File opened for modification C:\Program Files\360se.exe 259441877.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_a77bddc23470b26fb82a457f6efe485b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 259441877.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 360se.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2444 JaffaCakes118_a77bddc23470b26fb82a457f6efe485b.exe 2444 JaffaCakes118_a77bddc23470b26fb82a457f6efe485b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2240 2444 JaffaCakes118_a77bddc23470b26fb82a457f6efe485b.exe 30 PID 2444 wrote to memory of 2240 2444 JaffaCakes118_a77bddc23470b26fb82a457f6efe485b.exe 30 PID 2444 wrote to memory of 2240 2444 JaffaCakes118_a77bddc23470b26fb82a457f6efe485b.exe 30 PID 2444 wrote to memory of 2240 2444 JaffaCakes118_a77bddc23470b26fb82a457f6efe485b.exe 30 PID 2240 wrote to memory of 2404 2240 259441877.exe 31 PID 2240 wrote to memory of 2404 2240 259441877.exe 31 PID 2240 wrote to memory of 2404 2240 259441877.exe 31 PID 2240 wrote to memory of 2404 2240 259441877.exe 31 PID 2240 wrote to memory of 1156 2240 259441877.exe 32 PID 2240 wrote to memory of 1156 2240 259441877.exe 32 PID 2240 wrote to memory of 1156 2240 259441877.exe 32 PID 2240 wrote to memory of 1156 2240 259441877.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a77bddc23470b26fb82a457f6efe485b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a77bddc23470b26fb82a457f6efe485b.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\259441877.exe"C:\Users\Admin\AppData\Local\Temp\259441877.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Program Files\360se.exe"C:\Program Files\360se.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2404
-
-
C:\Windows\SysWOW64\cmd.execmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\259441877.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1156
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
844KB
MD5852b5b18f3d36e14ed13fec6709260cd
SHA1fe771e50a181998ce9723e3482f67968411625a8
SHA256f01056d6a238866b90d8e4ec673f3bfcc9e2298ff4d05d1096965df3927608be
SHA512632e2d95cb534c7e49160e8aea391e3594ab7e154e945501ff588ebf8e0fd96d700eaa00076af06e653687554c66f6faeb22d309aa5778e39313bf78613e4102