Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/08/2024, 22:33
Static task
static1
Behavioral task
behavioral1
Sample
c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
c5dc872493484557cca5115944d5bc23
-
SHA1
7e273cca94a8fe28d1ca41bec533274cf99d135f
-
SHA256
4f39eb15caf1f914da1fd37c3446fe79bdf6b3650dfa08dbe91972227a7d8574
-
SHA512
8acc51762452c20c8ce0f91054ed039a6b279e8d2c536af129a5f23ab08b97389c974eef7a3a3c96b6f8134ef4b57d18e5181858fb4c821db1f5f5aa880bdf5c
-
SSDEEP
24576:UHvZThWXS3+wfvh66/dbfoeVL9pjl2+y5p00fWshv6Fw/qoz:cBTgs+wYkbAerpjqr0KyFEL
Malware Config
Extracted
Protocol: ftp- Host:
ftp.drivehq.com - Port:
21 - Username:
homecomming
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023489-8.dat family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3276 DIR.exe -
Loads dropped DLL 1 IoCs
pid Process 3276 DIR.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DIR Start = "C:\\Windows\\SysWOW64\\XIUOCP\\DIR.exe" DIR.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 15 IoCs
description ioc Process File created C:\Windows\SysWOW64\XIUOCP\DIR.001 c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe File created C:\Windows\SysWOW64\XIUOCP\Screen_Aug_27_2024__22_34_13.jpg DIR.exe File created C:\Windows\SysWOW64\XIUOCP\Screen_Aug_27_2024__22_35_13.html DIR.exe File created C:\Windows\SysWOW64\XIUOCP\Screen_Aug_27_2024__22_34_13.html DIR.exe File created C:\Windows\SysWOW64\XIUOCP\Screen_Aug_27_2024__22_35_13.jpg DIR.exe File created C:\Windows\SysWOW64\XIUOCP\DIR.exe c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\XIUOCP\ DIR.exe File created C:\Windows\SysWOW64\XIUOCP\DIR.008 DIR.exe File opened for modification C:\Windows\SysWOW64\XIUOCP\DIR.008 DIR.exe File created C:\Windows\SysWOW64\XIUOCP\Screen_Aug_27_2024__22_34_43.jpg DIR.exe File created C:\Windows\SysWOW64\XIUOCP\DIR.004 c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe File created C:\Windows\SysWOW64\XIUOCP\DIR.002 c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe File created C:\Windows\SysWOW64\XIUOCP\AKV.exe c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe File created C:\Windows\SysWOW64\XIUOCP\Screen_Aug_27_2024__22_33_42.html DIR.exe File created C:\Windows\SysWOW64\XIUOCP\Screen_Aug_27_2024__22_33_42.jpg DIR.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DIR.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3276 DIR.exe Token: SeIncBasePriorityPrivilege 3276 DIR.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3276 DIR.exe 3276 DIR.exe 3276 DIR.exe 3276 DIR.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1232 wrote to memory of 3276 1232 c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe 88 PID 1232 wrote to memory of 3276 1232 c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe 88 PID 1232 wrote to memory of 3276 1232 c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c5dc872493484557cca5115944d5bc23_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\XIUOCP\DIR.exe"C:\Windows\system32\XIUOCP\DIR.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3276
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
461KB
MD57e335c1258740a5798c2b3eea5a97229
SHA16ce1e98ddc05a4b9e772901c9bc6caae4103267f
SHA256667ab5d791b89216a46f7dd3a1bcb9b7e5f235415a74a9678ca41cec051c462f
SHA5128c190dd139f5459a91c81871f53fc080a81c6397c68cb5b0ee195571012cc8af923b10cd77301da1816f935d36a0587d1c75126f5553005a0f50eb22d3441cb4
-
Filesize
94KB
MD5b68da51a9fec796cf70be53dad5b3451
SHA18ddf0302cdcf903be527f755c5d2ff88c7220d87
SHA256c5b18ecc36d91fdbffcd0f2d5ab7d238bf33d4cbe3bc25b2e17b9e5bc6faf735
SHA512c35a99c1a564fd34435951904f3c6d64bb1f9fd94c5d3b9311193e85535518bcca00213429825ec39d85ff7a4c4ac540a6e24e4943170a54fc148f474101dc5d
-
Filesize
189KB
MD5b729117e7808c1202322a72c8cb2940d
SHA1e4ae7ae2bcedbf9b5787825363f8e1b8ef764a07
SHA25629d98fbf1ad400ff6828f2d9c0220d865e5cfa9dcadcdaa553b0ce0bf2518d4e
SHA512fc1e78c2b2572d1f3566364d2d4816fabd4e8bf1684606b087c886fea07c984c9fdfe018c0a14144bf2afc95621e010e02cb7e61ac972a8e8cdf645d9815654f
-
Filesize
95KB
MD5535133d46e57d07ea05988a62f4c84b8
SHA1ae734cfdf43378a370e2e8ce98d353b6c2b20375
SHA256d12d371cf6fd5ddcc2ae3d6a0d9d38fdc91dea716ebd58ce2b884cfd3fd7e683
SHA512ea02e427bca866a6b0d9fd14d4bdc8badc39267fd6b6f0e8023659c8608a18856a91a6722c40494fd17873883dac0e4795d5857ffd9699e8186e0a72b626348b
-
Filesize
61KB
MD59fca42b7fa3132ded471b886c4bf8a51
SHA186109ac13f8b63bd3467bbf05e39c5cf9bd11d26
SHA256c519bcfc50245700b30cb417478b46810443b03a6447387dd1d0a13966ff00dd
SHA512bbdd590e1bd2971fbc6a462f6501341c0808d658ba3407b051f9d299d9babf0632af092d64c6ad290d4ae5d9db8c367898a064bbea916c516c0a54066ad698ab
-
Filesize
43KB
MD54c30b3e90b3da5619bc0d5f53c025135
SHA1829f487b7c26f6cb8b7f211b2331abbc5229aa61
SHA256b632cedab7ce3d19eebc0d31864dc8c38cd249dcbde299cda818f7026ec294cf
SHA512fd0b36fb43c6b62f6d47455b392276d4e3710b204ef11c70cefed417740a4b5d9357ba37f612f3f87d539175af312ead05bc7a4360fe3e26fd43c56e856e6313
-
Filesize
1KB
MD56d66dcf4e350505eefc17a779c2b6bde
SHA1b631ee7e1051ae3c937b803d9e323232821300a2
SHA2561fafa2f8a90c99690bceee928c9e99a893788ac2409cff0ebbdf3d63b257387a
SHA51206470a2f223ccf8cad834d97ffc5c0e982c1c15d935e055452275d8c9b098bf34b998b87263fc870cade02f35422eaf2b17cc29efd1459359f7367c2925d5b11
-
Filesize
1.5MB
MD59c28244f2dbe3a4758b532838b0040c9
SHA14b58bb4033d43ae64af6c18db48d5d25e23f6121
SHA256cb770745d547a27a4b99fdbe27a672135f812b29d94fd2b843d06bb5aa1748aa
SHA51224ed3d4c6aae307a0f1bb1f063b211152644b06d7425a5fe24b09f5f747dd63011451cef3f47cc4985b3316cf1213c056d38768ccb7f44cb2fab28cf4e30e969
-
Filesize
94KB
MD571c5c4505fafc72d1c31ac7471600d43
SHA1345d494e491994b55e373d52fa6813d79a42b5ab
SHA2561c3113f77be2cad426c45b6b464c7c7b7fe25bac63cd1612786814bbf232d015
SHA5129eba644d052af7b61edebfbb9bc4c4a9f75e2b05c2f6c1ca4677de7a291d90a148ee2499a502200210344e79af0b9c3d180719629be3e69b5d554337b35e5fdf