Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27/08/2024, 22:33
Static task
static1
Behavioral task
behavioral1
Sample
c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
c5dc872493484557cca5115944d5bc23
-
SHA1
7e273cca94a8fe28d1ca41bec533274cf99d135f
-
SHA256
4f39eb15caf1f914da1fd37c3446fe79bdf6b3650dfa08dbe91972227a7d8574
-
SHA512
8acc51762452c20c8ce0f91054ed039a6b279e8d2c536af129a5f23ab08b97389c974eef7a3a3c96b6f8134ef4b57d18e5181858fb4c821db1f5f5aa880bdf5c
-
SSDEEP
24576:UHvZThWXS3+wfvh66/dbfoeVL9pjl2+y5p00fWshv6Fw/qoz:cBTgs+wYkbAerpjqr0KyFEL
Malware Config
Extracted
Protocol: ftp- Host:
ftp.drivehq.com - Port:
21 - Username:
homecomming
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0007000000018716-6.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 2740 DIR.exe -
Loads dropped DLL 2 IoCs
pid Process 2924 c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe 2740 DIR.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DIR Start = "C:\\Windows\\SysWOW64\\XIUOCP\\DIR.exe" DIR.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 14 IoCs
description ioc Process File created C:\Windows\SysWOW64\XIUOCP\DIR.004 c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe File created C:\Windows\SysWOW64\XIUOCP\DIR.exe c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe File created C:\Windows\SysWOW64\XIUOCP\DIR.008 DIR.exe File created C:\Windows\SysWOW64\XIUOCP\Screen_Aug_27_2024__22_33_42.html DIR.exe File created C:\Windows\SysWOW64\XIUOCP\DIR.001 c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe File created C:\Windows\SysWOW64\XIUOCP\DIR.002 c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe File created C:\Windows\SysWOW64\XIUOCP\AKV.exe c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe File created C:\Windows\SysWOW64\XIUOCP\Screen_Aug_27_2024__22_33_42.jpg DIR.exe File created C:\Windows\SysWOW64\XIUOCP\Screen_Aug_27_2024__22_34_12.html DIR.exe File opened for modification C:\Windows\SysWOW64\XIUOCP\ DIR.exe File created C:\Windows\SysWOW64\XIUOCP\Screen_Aug_27_2024__22_35_12.html DIR.exe File created C:\Windows\SysWOW64\XIUOCP\Screen_Aug_27_2024__22_35_12.jpg DIR.exe File opened for modification C:\Windows\SysWOW64\XIUOCP\DIR.008 DIR.exe File created C:\Windows\SysWOW64\XIUOCP\Screen_Aug_27_2024__22_34_12.jpg DIR.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DIR.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2740 DIR.exe Token: SeIncBasePriorityPrivilege 2740 DIR.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2740 DIR.exe 2740 DIR.exe 2740 DIR.exe 2740 DIR.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2740 2924 c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe 31 PID 2924 wrote to memory of 2740 2924 c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe 31 PID 2924 wrote to memory of 2740 2924 c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe 31 PID 2924 wrote to memory of 2740 2924 c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\XIUOCP\DIR.exe"C:\Windows\system32\XIUOCP\DIR.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
461KB
MD57e335c1258740a5798c2b3eea5a97229
SHA16ce1e98ddc05a4b9e772901c9bc6caae4103267f
SHA256667ab5d791b89216a46f7dd3a1bcb9b7e5f235415a74a9678ca41cec051c462f
SHA5128c190dd139f5459a91c81871f53fc080a81c6397c68cb5b0ee195571012cc8af923b10cd77301da1816f935d36a0587d1c75126f5553005a0f50eb22d3441cb4
-
Filesize
87KB
MD590dfd583b56f5443bdca798c48f47ead
SHA19df8a45e79206f86b07d89b05b388d35e4823033
SHA256484ad2b1d26032b5e3bfcc56e2c3ba4eca9c96c71aff1b5f394db925b565a58f
SHA51218bc19a475392c640b53522f24aa87e72d8211b7b798b315cc4be75a0567ce9590ee72302670a9da67450fed0657a0e5797d4bedcaac600a82553f91b66be80d
-
Filesize
87KB
MD56c234684c0718ae64f2806a2bc59d460
SHA15f1e058c27b41342d571015b27a54f4c72dc16a0
SHA256bd8c399a196ee61f01f79d7187ab9365e7aea60f0acb2ddf6fb830acb76ce8d1
SHA5129bb04a1108652b288185b22f30532a4f3407ba888511de3433886cd415f43c1ffe542f00ce0dd789302ee4884d2bc42b70fdc4cb26e1a537f6d482143ef5dead
-
Filesize
61KB
MD59fca42b7fa3132ded471b886c4bf8a51
SHA186109ac13f8b63bd3467bbf05e39c5cf9bd11d26
SHA256c519bcfc50245700b30cb417478b46810443b03a6447387dd1d0a13966ff00dd
SHA512bbdd590e1bd2971fbc6a462f6501341c0808d658ba3407b051f9d299d9babf0632af092d64c6ad290d4ae5d9db8c367898a064bbea916c516c0a54066ad698ab
-
Filesize
43KB
MD54c30b3e90b3da5619bc0d5f53c025135
SHA1829f487b7c26f6cb8b7f211b2331abbc5229aa61
SHA256b632cedab7ce3d19eebc0d31864dc8c38cd249dcbde299cda818f7026ec294cf
SHA512fd0b36fb43c6b62f6d47455b392276d4e3710b204ef11c70cefed417740a4b5d9357ba37f612f3f87d539175af312ead05bc7a4360fe3e26fd43c56e856e6313
-
Filesize
1KB
MD56d66dcf4e350505eefc17a779c2b6bde
SHA1b631ee7e1051ae3c937b803d9e323232821300a2
SHA2561fafa2f8a90c99690bceee928c9e99a893788ac2409cff0ebbdf3d63b257387a
SHA51206470a2f223ccf8cad834d97ffc5c0e982c1c15d935e055452275d8c9b098bf34b998b87263fc870cade02f35422eaf2b17cc29efd1459359f7367c2925d5b11
-
Filesize
87KB
MD55a7caf1b39ccc84c53c63812e8d2b4df
SHA18fd71b6aaaada76ace921f5914265749a7341cc6
SHA256cd89120f4b51edab01a7ede87115f67b66feebb781df381909f5d72edb310380
SHA512d5df8ac7d3efaf9ea16d41e757ae2878b5f6b56c5a40fa392fb15cf24390553007764b53d89bcbcd073a7ce56990fc1a75226f846b3738f2dff225b78f4cf453
-
Filesize
87KB
MD5c765beb5de9ba8411c5c2ced701850e2
SHA12c2d79880e8487609ef3a4f88e337098c985b32c
SHA256e10f9132eb9a6a610ca5ad9ddd7e11a20562528418d0f6a8ce6272e4c9d5084f
SHA5124a330410bce201976d0715b318e6984d826633ee04261ef33c5681e14d54bd5cb64c584bedc4ecd77a7abaff9a43c1ea547b2ea5c038fbc7568aefe0c30dfaa9
-
Filesize
1.5MB
MD59c28244f2dbe3a4758b532838b0040c9
SHA14b58bb4033d43ae64af6c18db48d5d25e23f6121
SHA256cb770745d547a27a4b99fdbe27a672135f812b29d94fd2b843d06bb5aa1748aa
SHA51224ed3d4c6aae307a0f1bb1f063b211152644b06d7425a5fe24b09f5f747dd63011451cef3f47cc4985b3316cf1213c056d38768ccb7f44cb2fab28cf4e30e969