Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    31/08/2024, 16:49

General

  • Target

    cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    cd3392fb8eaad9e4875e4e1544754fc3

  • SHA1

    514b0bc99a88865ef3c1a49f9034dbdab898d510

  • SHA256

    c32636cb94022907d1a5642c476d284d9f4462d6221b38eb30b256a651dbc802

  • SHA512

    8f0cfa87c19c7d5a7dfd369c23d945cc3b5d59ffd60fe5542093bf6c4c756050ec51d4eb423f76bcb8d2636ad8587182ca1a1e847058b801cf511366be989882

  • SSDEEP

    24576:9k/ATXowW3FgTB/LfQ/rGuDkfuo7o/xzf2blhk95oL15Hs/WsKLpOC5spd:CoTXgWTO/nW7TBhksL153gnp

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Windows\SysWOW64\OHNSGG\QVA.exe
      "C:\Windows\system32\OHNSGG\QVA.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\OHNSGG\QVA.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2292
    • C:\Users\Admin\AppData\Local\Temp\elf 3.9.7.0.exe
      "C:\Users\Admin\AppData\Local\Temp\elf 3.9.7.0.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\OHNSGG\QVA.001

    Filesize

    61KB

    MD5

    7a5612cc859be918c5767487f8a6815a

    SHA1

    a855d3a3e6336ac0508a8099e8ace14680394c36

    SHA256

    643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1

    SHA512

    31c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d

  • C:\Windows\SysWOW64\OHNSGG\QVA.002

    Filesize

    43KB

    MD5

    b2bcd668abf17ee408d232cc636614b2

    SHA1

    c354f941121515536c4f0d9ae49ed1a9b28534b4

    SHA256

    563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99

    SHA512

    ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702

  • C:\Windows\SysWOW64\OHNSGG\QVA.004

    Filesize

    1KB

    MD5

    456f38fe3b18f0aef97eeb20cdf77335

    SHA1

    a946fcb212d3f090a2d0cb9c6a12684bc291993d

    SHA256

    70018c1a3b8abd19a646fa409e24702d14b0ebca0b17906dfbc2295f302d6404

    SHA512

    f371d799678351ddb3982cb9ef864f9d5ff0f8b15d7ea828da05ef509a11f5e6bb0b828ffb69a4b86dcaf179547e85e0233cb71eb899286a77fd32b130c8010e

  • \Users\Admin\AppData\Local\Temp\elf 3.9.7.0.exe

    Filesize

    382KB

    MD5

    0187882fd5c0b80c0cc1e784d8e40731

    SHA1

    e88f4075bec77757f9974368a59e495990d5e2f0

    SHA256

    8591ad8805a1282cf5b1a1db15bcc0baf27014590f07b32cbbe6bb01822d784e

    SHA512

    7c18130050e9cb9293bab366098d29ef948bf3a2e6362fa40c5b0c8fa45e19008026f8cdf65bff74ec464a933b4a41622f0ab891e9f953ab33e7d689b1f5adc9

  • \Users\Admin\AppData\Local\Temp\nsdD49E.tmp\LangDLL.dll

    Filesize

    5KB

    MD5

    9384f4007c492d4fa040924f31c00166

    SHA1

    aba37faef30d7c445584c688a0b5638f5db31c7b

    SHA256

    60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

    SHA512

    68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

  • \Users\Admin\AppData\Local\Temp\nsdD49E.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • \Users\Admin\AppData\Local\Temp\nsdD49E.tmp\nsDialogs.dll

    Filesize

    9KB

    MD5

    c10e04dd4ad4277d5adc951bb331c777

    SHA1

    b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

    SHA256

    e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

    SHA512

    853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

  • \Windows\SysWOW64\OHNSGG\QVA.exe

    Filesize

    1.5MB

    MD5

    a9ea3f61a57b36cde9953afd91f18d34

    SHA1

    e7e931b96b6e39b64a2a38d704bbe9561a234cbc

    SHA256

    accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec

    SHA512

    0a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc

  • memory/1776-28-0x00000000005E0000-0x00000000005F5000-memory.dmp

    Filesize

    84KB

  • memory/2440-14-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

  • memory/2440-45-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB