Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ab81cf40d0...18.exe

windows7-x64

10

ab81cf40d0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab81cf40d00a27ef7afc0499b785bfae_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    ab81cf40d00a27ef7afc0499b785bfae

  • SHA1

    3958d1863455e8c2ddb6635eacf9837458cb8c26

  • SHA256

    19c776462269aad3ea7ddc0675ff0aefeeb4826e97c59a148d5c46563206836f

  • SHA512

    a437e5dc1a17a2a34e2bbd7cb1f4cdbc6a884ec3d5b8ab54816f47ed96d22b027dc79d949ed218f55ec12544a23e74b992ac5a59f6b2c1e1da0f5ae9915dc219

  • SSDEEP

    24576:Yk/AToFxsx/OlGI4B1kWOPJwCbCCWeV4bTpuYFNanoN7CIu6DQnm+INsSFkZVi:5oToFOGPCAwCbJWeVUumgRnm8SFkZV

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealerupx

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab81cf40d00a27ef7afc0499b785bfae_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ab81cf40d00a27ef7afc0499b785bfae_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Windows\SysWOW64\LVFEWT\KLG.exe
      "C:\Windows\system32\LVFEWT\KLG.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:640
    • C:\Users\Admin\AppData\Local\Temp\PerX.exe
      "C:\Users\Admin\AppData\Local\Temp\PerX.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\PerX.exe
    Filesize

    262KB

    MD5

    e974a7ed7fa0c096aa1f59ae6d8cce72

    SHA1

    24b215e712fa745ac94d033ee7c5a556a5df0dab

    SHA256

    d042a6add7b1547e5165d0c0c0f0eb21ee778b44c27e0a2bbce9f02b79156c0b

    SHA512

    156cfa7b252d8737a4d3fdc3f8095353051d7f15e1293d6c1213de36ea44d526fd94e75765b3a1f75ed83f9b02dd4329b9eab466e9188fea107e622d0c1d6ba4

    Download Submit

  • C:\Windows\SysWOW64\LVFEWT\AKV.exe
    Filesize

    466KB

    MD5

    4c5711d8a02899113661bdff195d80d5

    SHA1

    263592abea6d60887defb4b1bcb47dbb383edfb6

    SHA256

    661eee852ace18c0fe63548e3ca276866b40dd0dce722f67976b8c4bfdb92195

    SHA512

    4b16ee6c75a169ad02c6b30d08efcd969ba8840adf49f6eeec3abbe8b9f5f288e1b1cfb4431711a74510a6973663335e43d256ae0dcd1a68f55331152a4f64ae

    Download Submit

  • C:\Windows\SysWOW64\LVFEWT\KLG.001
    Filesize

    61KB

    MD5

    7a5612cc859be918c5767487f8a6815a

    SHA1

    a855d3a3e6336ac0508a8099e8ace14680394c36

    SHA256

    643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1

    SHA512

    31c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d

    Download Submit

  • C:\Windows\SysWOW64\LVFEWT\KLG.002
    Filesize

    43KB

    MD5

    b2bcd668abf17ee408d232cc636614b2

    SHA1

    c354f941121515536c4f0d9ae49ed1a9b28534b4

    SHA256

    563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99

    SHA512

    ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702

    Download Submit

  • C:\Windows\SysWOW64\LVFEWT\KLG.004
    Filesize

    1KB

    MD5

    e8c10a8579429ebd0a281d44510fd306

    SHA1

    5accc22ae004f1d281ece7955a5cf519f7dee97c

    SHA256

    a9933cbf59215e35553e319eacb1a1a745d2b45a2dd70cb1dbd11b038ee30763

    SHA512

    129ea4987676c82d7cf3e3caa5dc14f5d08e2305b19e8189a41366ba291d8b4fc065e52f6a73127c0a08caf8593e9aba970ff2aff8df371750a4bace1af11ac9

    Download Submit

  • C:\Windows\SysWOW64\LVFEWT\KLG.exe
    Filesize

    1.5MB

    MD5

    a9ea3f61a57b36cde9953afd91f18d34

    SHA1

    e7e931b96b6e39b64a2a38d704bbe9561a234cbc

    SHA256

    accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec

    SHA512

    0a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc

    Download Submit

  • memory/640-18-0x0000000000750000-0x0000000000751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/640-30-0x0000000000750000-0x0000000000751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1320-29-0x00000000005C0000-0x00000000005C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1320-27-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/1320-31-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/1320-33-0x00000000005C0000-0x00000000005C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1320-32-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/1320-35-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/1320-36-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/1320-42-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/1320-44-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/1320-46-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download