Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

aff5c63b84...18.exe

windows7-x64

10

aff5c63b84...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 16:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aff5c63b84a430a7c61de6c845833a35_JaffaCakes118.exe

  • Size

    1.8MB

  • MD5

    aff5c63b84a430a7c61de6c845833a35

  • SHA1

    78bae340d1dce238204f1321af69f3ac7b42f620

  • SHA256

    d27e429b30898e790cd3507fc16a6f257c653279169e2acb93350226a225335e

  • SHA512

    ae62076f9faef2610de5d9cb74afaf02f3394e375c83aa62049af28e14ccd4f68cde11fbcd232883ed77af04b33647bea60193d69690ad1c4420d6376dc86d82

  • SSDEEP

    49152:cHjsdFMMSlhd9j7H3jeKoW1PjTT1v7Sr82Wap:n0MSv7Xj19PjN2v

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealerthemida

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aff5c63b84a430a7c61de6c845833a35_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\aff5c63b84a430a7c61de6c845833a35_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\install.exe
      "C:\Windows\install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\SysWOW64\28463\CXJL.exe
        "C:\Windows\system32\28463\CXJL.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2604
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\foto.jpg
    Filesize

    32KB

    MD5

    00e6725f261d4ce29024138ac9f8739b

    SHA1

    353849cc6e72abd9676fb06405d73b6d0a9697ef

    SHA256

    40f702f0b9e0ab3755006a00f8f70863ad23e79994037537f7785b7cdc78c3e6

    SHA512

    d904aee8ec6a5f3091b3ea5ff64a34582179a96a608257d999232db168196d97cb862d481af870c4edf9571ef285432f46decd206e00992d472e93c8c5f3ba53

    Download Submit

  • C:\Windows\SysWOW64\28463\AKV.exe
    Filesize

    394KB

    MD5

    b87e2e56dbf34fb12705317f4d361c12

    SHA1

    3b4a6c2fddaab9f71747437c60dc7ad85661b4fa

    SHA256

    1ed5873542484a3f4c898de6684fc04bc0929e4fc795cd09b4b86f17e817d85a

    SHA512

    9d1bf05a200efda561f3141d3a4c70a347ba2a64fbfb5fb9b432956660b4aabc492f93fa50ba1928a3c408ec048c357a50cb79d12ba6200b28b1aeb98dbc39a0

    Download Submit

  • C:\Windows\SysWOW64\28463\CXJL.001
    Filesize

    520B

    MD5

    c4647e42f2b55e111c413c09f7d982f2

    SHA1

    e76fd1ef6ba49b277b8636cd5e84436a2da818dc

    SHA256

    26d2428b69a861a8cb59a1162d26dd5393f2f1f4ca1c63cf0f2182390d1cb1b5

    SHA512

    339d4d89ab962ee75557590597004c5eca7ea839d41dc9f19ecf1b3683a7e1c330c990c5382e42e5913c3bcc547f7e4812df927bede548f6590b1838e8cba19e

    Download Submit

  • C:\Windows\SysWOW64\28463\CXJL.006
    Filesize

    8KB

    MD5

    aae8ccee5d5eed5748d13f474123efea

    SHA1

    6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

    SHA256

    10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

    SHA512

    d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

    Download Submit

  • C:\Windows\SysWOW64\28463\CXJL.007
    Filesize

    5KB

    MD5

    40685d22d05d92462a2cfc1bba9a81b7

    SHA1

    f0e19012d0ed000148898b1e1264736bed438da8

    SHA256

    cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0

    SHA512

    21961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b

    Download Submit

  • C:\Windows\install.exe
    Filesize

    520KB

    MD5

    c7046ed479051d90bf1a6413a807bb06

    SHA1

    a0170434adcaf4bf95492d9b72005d499bb684cb

    SHA256

    a8fd606760917204a2d894cea6051f06f3fb18d412982dd40426108198af89cc

    SHA512

    aded91e1c6b1ae126d719894efda734713f5a0089b6f89d438efeee378981fd452640fb7de4da2c145b47fa7885b7a96f2239d108ce9e9d4bf0ee78b3abffcd0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@59A5.tmp
    Filesize

    4KB

    MD5

    27092ec75c1839f36bfe900a38acc484

    SHA1

    fe14b750a0ed653246c5f358891f8c1241913bb2

    SHA256

    e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07

    SHA512

    815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b

    Download Submit

  • \Windows\SysWOW64\28463\CXJL.exe
    Filesize

    473KB

    MD5

    339ae4ce820cda75bbb363b2ed1c06fd

    SHA1

    62399c6102cc98ed66cbcd88a63ff870cf7b2100

    SHA256

    1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

    SHA512

    5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

    Download Submit

  • memory/652-44-0x0000000000210000-0x0000000000212000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2728-1-0x0000000000700000-0x00000000007EC000-memory.dmp

    Filesize

    944KB

    Download

  • memory/2728-11-0x0000000000400000-0x0000000000700000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2728-4-0x0000000000400000-0x0000000000700000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2728-2-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2728-0-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2848-43-0x00000000027C0000-0x00000000027C2000-memory.dmp

    Filesize

    8KB

    Download