Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 16:31
Static task
static1
Behavioral task
behavioral1
Sample
358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
358393682ba7a3ac9e63d0b9faa15178
-
SHA1
58656237e8d2299017bdcc15b4e5afda9074bf82
-
SHA256
64c18cbee94fc9cb7a4978f908c79356433f3c6091a928654ea8555367fb0ca0
-
SHA512
1739b80728187a3584eedc426498daafed943b12bb320f86bc5a23522485f9651b72581ffec7c9d7d8270e97504f9af20311156908d1309f960eb919213fd1de
-
SSDEEP
24576:cHvZT0d//nI2VA6hX5pdoHPPuRMp4uwUTVZKXGUWikDYRBTCr8A:kBTynImBc3AM8isGoICBTCr8
Malware Config
Extracted
Protocol: ftp- Host:
ftp.drivehq.com - Port:
21 - Username:
homecomming
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x00070000000234ce-8.dat family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 5020 MXJ.exe -
Loads dropped DLL 1 IoCs
pid Process 5020 MXJ.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MXJ Start = "C:\\Windows\\SysWOW64\\PLXWJW\\MXJ.exe" MXJ.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\PLXWJW\MXJ.exe 358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\PLXWJW\ MXJ.exe File opened for modification C:\Windows\SysWOW64\PLXWJW\MXJ.008 MXJ.exe File created C:\Windows\SysWOW64\PLXWJW\Screen_Jul_10_2024__16_33_35.html MXJ.exe File created C:\Windows\SysWOW64\PLXWJW\Screen_Jul_10_2024__16_33_35.jpg MXJ.exe File created C:\Windows\SysWOW64\PLXWJW\MXJ.004 358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118.exe File created C:\Windows\SysWOW64\PLXWJW\MXJ.001 358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118.exe File created C:\Windows\SysWOW64\PLXWJW\MXJ.002 358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118.exe File created C:\Windows\SysWOW64\PLXWJW\AKV.exe 358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118.exe File created C:\Windows\SysWOW64\PLXWJW\MXJ.008 MXJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 5020 MXJ.exe Token: SeIncBasePriorityPrivilege 5020 MXJ.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 5020 MXJ.exe 5020 MXJ.exe 5020 MXJ.exe 5020 MXJ.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2364 wrote to memory of 5020 2364 358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118.exe 85 PID 2364 wrote to memory of 5020 2364 358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118.exe 85 PID 2364 wrote to memory of 5020 2364 358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\358393682ba7a3ac9e63d0b9faa15178_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\PLXWJW\MXJ.exe"C:\Windows\system32\PLXWJW\MXJ.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
461KB
MD57e335c1258740a5798c2b3eea5a97229
SHA16ce1e98ddc05a4b9e772901c9bc6caae4103267f
SHA256667ab5d791b89216a46f7dd3a1bcb9b7e5f235415a74a9678ca41cec051c462f
SHA5128c190dd139f5459a91c81871f53fc080a81c6397c68cb5b0ee195571012cc8af923b10cd77301da1816f935d36a0587d1c75126f5553005a0f50eb22d3441cb4
-
Filesize
109KB
MD554096739fe7677f91699f7166969795b
SHA1d243c5cd4f022aee36a5d2533471254dd5a759df
SHA256a0f0dbd20623c2aed73f90d0c6ffeb83a086bc052069ad0f7df7ae8628049592
SHA51231c9e47f688981cc902f185b795767ffbb8f89887332d5f4ef071ec03d8df9f76c05cdcb594d7f93dee2aed2c1dba0f8b8c9e50989c4e0e216a446b37e336172
-
Filesize
61KB
MD59fca42b7fa3132ded471b886c4bf8a51
SHA186109ac13f8b63bd3467bbf05e39c5cf9bd11d26
SHA256c519bcfc50245700b30cb417478b46810443b03a6447387dd1d0a13966ff00dd
SHA512bbdd590e1bd2971fbc6a462f6501341c0808d658ba3407b051f9d299d9babf0632af092d64c6ad290d4ae5d9db8c367898a064bbea916c516c0a54066ad698ab
-
Filesize
43KB
MD54c30b3e90b3da5619bc0d5f53c025135
SHA1829f487b7c26f6cb8b7f211b2331abbc5229aa61
SHA256b632cedab7ce3d19eebc0d31864dc8c38cd249dcbde299cda818f7026ec294cf
SHA512fd0b36fb43c6b62f6d47455b392276d4e3710b204ef11c70cefed417740a4b5d9357ba37f612f3f87d539175af312ead05bc7a4360fe3e26fd43c56e856e6313
-
Filesize
1KB
MD53432ffcb20bd2689c19a8e9972cee5d8
SHA13309d424bbbd8d302be99ee9323a5680334f449d
SHA256ac5cee045379f0b0c3a095483fd8c102703369cc95898f34f563daaa9c8aab95
SHA51242f88c12926f6074280d1e2e0b24e52d1ad6fe7e387ed14043ae2ddb8fdb7b4cc368695011ca7d561c07e7df1fe24d8247e6293f95011841359083fa4e5cf7d5
-
Filesize
1.5MB
MD59c28244f2dbe3a4758b532838b0040c9
SHA14b58bb4033d43ae64af6c18db48d5d25e23f6121
SHA256cb770745d547a27a4b99fdbe27a672135f812b29d94fd2b843d06bb5aa1748aa
SHA51224ed3d4c6aae307a0f1bb1f063b211152644b06d7425a5fe24b09f5f747dd63011451cef3f47cc4985b3316cf1213c056d38768ccb7f44cb2fab28cf4e30e969
-
Filesize
611B
MD5fc1d20fbb1df0788d2166ac6c348f3d2
SHA158371be2d7e728f27540e5aa146ccfdc17fa631c
SHA25665452e036954f126e2ff3ef60d0daaf6f57ca26cbc380d335b3db8709918500a
SHA512af90eb53b464db88b2083d2019d6895f88f26b9b10058d0b4b405b30e14f26573ea1d7d2da5673dab55304c9d1c8196791ea8605b43d0cdd6f673958f64e6fd6
-
Filesize
109KB
MD523b3bd4776f17029c41c0d1fb5431f93
SHA1b23c1aae3b17b72c819edd12732419a2e1cecd79
SHA256c2ef867f4beaf3471fcb6ef3bbfb2b7a8bbdd23d77c4a7a4cb88dfe98dad7174
SHA5127444305d3ce33d7140a50042f4ccd36a44b19463a0011c109136fd310fd2b135170bf784f50e21e5464f71e4ff20bc1a0289ccbee44cea7792865701f4270f55