Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 00:44
Static task
static1
Behavioral task
behavioral1
Sample
b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
b5b1d763703c33438c101d5e1bf6d09c
-
SHA1
199e28b5e26a679abd193ffc215f9fbd5c8062aa
-
SHA256
0a4ff2e067fe1644dfca1f3542bc44c86e05c67ec454b7a4775a8a15afa8e367
-
SHA512
44a3290d6c935276da2c7285980a2027df76a7c9b78fe3afb049a6abdb39729f6bf259646698b46bf56485742fcbcbd0556b06c3085d092a272573282093c1ec
-
SSDEEP
24576:UjxJRkKup3nSivnVM2EgFurReZLX23nHxNawI7JRgRRczuf1van6gG/9Kwfmwk:0ivV5iWLXwnzEyqzkExw
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023515-22.dat family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation win32.exe -
Executes dropped EXE 2 IoCs
pid Process 3100 win32.exe 892 VYQ.exe -
Loads dropped DLL 1 IoCs
pid Process 892 VYQ.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runAPI46 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\runAPI93.exe\"" b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VYQ Start = "C:\\Windows\\SysWOW64\\RAMHIT\\VYQ.exe" VYQ.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\RAMHIT\VYQ.exe win32.exe File opened for modification C:\Windows\SysWOW64\RAMHIT\ VYQ.exe File created C:\Windows\SysWOW64\RAMHIT\VYQ.004 win32.exe File created C:\Windows\SysWOW64\RAMHIT\VYQ.001 win32.exe File created C:\Windows\SysWOW64\RAMHIT\VYQ.002 win32.exe File created C:\Windows\SysWOW64\RAMHIT\AKV.exe win32.exe File created C:\Windows\SysWOW64\RAMHIT\VYQ.003 win32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 880 set thread context of 3100 880 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VYQ.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 892 VYQ.exe 892 VYQ.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 892 VYQ.exe Token: SeIncBasePriorityPrivilege 892 VYQ.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 892 VYQ.exe 892 VYQ.exe 892 VYQ.exe 892 VYQ.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 880 wrote to memory of 3100 880 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 84 PID 880 wrote to memory of 3100 880 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 84 PID 880 wrote to memory of 3100 880 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 84 PID 880 wrote to memory of 3100 880 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 84 PID 880 wrote to memory of 3100 880 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 84 PID 880 wrote to memory of 3100 880 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 84 PID 880 wrote to memory of 3100 880 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 84 PID 880 wrote to memory of 3100 880 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 84 PID 880 wrote to memory of 3100 880 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 84 PID 880 wrote to memory of 3100 880 b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe 84 PID 3100 wrote to memory of 892 3100 win32.exe 86 PID 3100 wrote to memory of 892 3100 win32.exe 86 PID 3100 wrote to memory of 892 3100 win32.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b5b1d763703c33438c101d5e1bf6d09c_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\win32.exeC:\Users\Admin\AppData\Local\Temp\win32.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\RAMHIT\VYQ.exe"C:\Windows\system32\RAMHIT\VYQ.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:892
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD55e5ecae8b08152c885904cde71c50dad
SHA1727f24d102ab29be690c783ddc149b3a39430fb6
SHA256b3550952a2474802ae5f2d2d7e75987ccd7ca23baa8ba015c3eaa6fd04b55541
SHA512dd6287a8471aa575abbcf46300ac64a170c0cb19052d779c7bc0899149c6114a4e42520756dae1598e18458d94522d6c7701a7bc3a37067ac2a1616dbbf8e5ea
-
Filesize
485KB
MD5b905540561802896d1609a5709c38795
SHA1a265f7c1d428ccece168d36ae1a5f50abfb69e37
SHA256ce666ce776c30251bb1b465d47826c23efaa86ec5ee50b2a4d23a4ceb343ed53
SHA5127663654f134f47a8092bae1f3f9d46732d2541ab955e7604d43a0def1e61e2bc039a6753e94d99f1d04b69f55a86f1fb937513671019f1bdf100edb97b24badc
-
Filesize
61KB
MD50e7e847fb96b4faa6cb4d3707a96887e
SHA1896fd4064044e271312e9128e874108eec69521f
SHA256c0f3e18ed0020dae5f75d3338b51f9c8de26d8af0a4d31904ba77cb1d112bbca
SHA512ad680ed30b0cabe1be4e7237b8e620060de9c5f64d088d21a6acf6f293551ab4abc10f8f959aa6041e19aeaea538e72beeecc29b7669546a9a151141d4e73684
-
Filesize
43KB
MD5f195701cf2c54d6ceadad943cf5135b8
SHA19beb03fc097fc58d7375b0511b87ced98a423a08
SHA256177c1dcc7f13158445f0b99713e9cad205da86e764940a48d43dc375565b0dec
SHA512f78def1ab431bb2b7b647ec76c063c30a87cabd22605f94cbe4fbb6f757fd54ddf7861d3842a0e369abfce94b68d41dec0fe2322a74f67d9875f561f92b20025
-
Filesize
65KB
MD5fa881c9545d01792ac6697572d52ab85
SHA1bcf56567eea2066fce6662651d886d026eaaec30
SHA256540e5d4e0cac56e0db7e4218838625460b3f4249a3c063c10f8bc01a277752de
SHA5121c7fe1495b590120605701e331890c0f65b2a01b3179a454ef8622d8765c57ec918c45da68034b85241fedf00cde4e4d8cee74db198c03ca573f5ab64494fb28
-
Filesize
1KB
MD5b56a8e4d491fe306c6e64023c213167e
SHA11657c57a388e56cf9a743eb83a35493b7daa027d
SHA25698e5a09a5b8da4adfb0464a96c04bd8f128a89bb283e4b5eae095d528203dd63
SHA512f2fbc35f142826f734260d266d8556c4a75b9fe2dd139e186d5c214fa2b97c31cfecc0148b8e1872d66a534d09e488f4f3642ea7b69c2dcc12a0c8618f65bd3c
-
Filesize
1.7MB
MD5d95623e481661c678a0546e02f10f24c
SHA1b6949e68a19b270873764585eb1e82448d1e0717
SHA256cecfadce6fb09b3977c20d15fb40f8f66a1d7e488a4794451d048a598c3417da
SHA512dee02644d92ed30e88bb10e9dcdba97abd9949b230059ec20cf5d93061f9cdb77b1e793e5f69d0b51595c30077c3ddd093348d22b070ce898ccefe28b8062591