Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240710-t1lksazhmc

  • MD5

    358393682ba7a3ac9e63d0b9faa15178

  • SHA1

    58656237e8d2299017bdcc15b4e5afda9074bf82

  • SHA256

    64c18cbee94fc9cb7a4978f908c79356433f3c6091a928654ea8555367fb0ca0

  • SHA512

    1739b80728187a3584eedc426498daafed943b12bb320f86bc5a23522485f9651b72581ffec7c9d7d8270e97504f9af20311156908d1309f960eb919213fd1de

  • SSDEEP

    24576:cHvZT0d//nI2VA6hX5pdoHPPuRMp4uwUTVZKXGUWikDYRBTCr8A:kBTynImBc3AM8isGoICBTCr8

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.drivehq.com
  • Port:
    21
  • Username:
    homecomming

Targets

    • Target

      358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118

    • Size

      1.1MB

    • MD5

      358393682ba7a3ac9e63d0b9faa15178

    • SHA1

      58656237e8d2299017bdcc15b4e5afda9074bf82

    • SHA256

      64c18cbee94fc9cb7a4978f908c79356433f3c6091a928654ea8555367fb0ca0

    • SHA512

      1739b80728187a3584eedc426498daafed943b12bb320f86bc5a23522485f9651b72581ffec7c9d7d8270e97504f9af20311156908d1309f960eb919213fd1de

    • SSDEEP

      24576:cHvZT0d//nI2VA6hX5pdoHPPuRMp4uwUTVZKXGUWikDYRBTCr8A:kBTynImBc3AM8isGoICBTCr8

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax main executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks