Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
31/08/2024, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
cd3392fb8eaad9e4875e4e1544754fc3
-
SHA1
514b0bc99a88865ef3c1a49f9034dbdab898d510
-
SHA256
c32636cb94022907d1a5642c476d284d9f4462d6221b38eb30b256a651dbc802
-
SHA512
8f0cfa87c19c7d5a7dfd369c23d945cc3b5d59ffd60fe5542093bf6c4c756050ec51d4eb423f76bcb8d2636ad8587182ca1a1e847058b801cf511366be989882
-
SSDEEP
24576:9k/ATXowW3FgTB/LfQ/rGuDkfuo7o/xzf2blhk95oL15Hs/WsKLpOC5spd:CoTXgWTO/nW7TBhksL153gnp
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016123-5.dat family_ardamax -
Executes dropped EXE 2 IoCs
pid Process 2440 QVA.exe 1776 elf 3.9.7.0.exe -
Loads dropped DLL 7 IoCs
pid Process 1880 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe 2440 QVA.exe 1880 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe 1776 elf 3.9.7.0.exe 1776 elf 3.9.7.0.exe 1776 elf 3.9.7.0.exe 1776 elf 3.9.7.0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QVA Start = "C:\\Windows\\SysWOW64\\OHNSGG\\QVA.exe" QVA.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\OHNSGG\QVA.004 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe File created C:\Windows\SysWOW64\OHNSGG\QVA.001 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe File created C:\Windows\SysWOW64\OHNSGG\QVA.002 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe File created C:\Windows\SysWOW64\OHNSGG\QVA.exe cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\OHNSGG\ QVA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QVA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language elf 3.9.7.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x00070000000161f3-17.dat nsis_installer_1 behavioral1/files/0x00070000000161f3-17.dat nsis_installer_2 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1776 elf 3.9.7.0.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 2440 QVA.exe Token: SeIncBasePriorityPrivilege 2440 QVA.exe Token: SeIncBasePriorityPrivilege 2440 QVA.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2440 QVA.exe 2440 QVA.exe 2440 QVA.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1880 wrote to memory of 2440 1880 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe 31 PID 1880 wrote to memory of 2440 1880 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe 31 PID 1880 wrote to memory of 2440 1880 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe 31 PID 1880 wrote to memory of 2440 1880 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe 31 PID 1880 wrote to memory of 1776 1880 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe 32 PID 1880 wrote to memory of 1776 1880 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe 32 PID 1880 wrote to memory of 1776 1880 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe 32 PID 1880 wrote to memory of 1776 1880 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe 32 PID 1880 wrote to memory of 1776 1880 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe 32 PID 1880 wrote to memory of 1776 1880 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe 32 PID 1880 wrote to memory of 1776 1880 cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe 32 PID 2440 wrote to memory of 2292 2440 QVA.exe 33 PID 2440 wrote to memory of 2292 2440 QVA.exe 33 PID 2440 wrote to memory of 2292 2440 QVA.exe 33 PID 2440 wrote to memory of 2292 2440 QVA.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\cd3392fb8eaad9e4875e4e1544754fc3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\OHNSGG\QVA.exe"C:\Windows\system32\OHNSGG\QVA.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\OHNSGG\QVA.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:2292
-
-
-
C:\Users\Admin\AppData\Local\Temp\elf 3.9.7.0.exe"C:\Users\Admin\AppData\Local\Temp\elf 3.9.7.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:1776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD57a5612cc859be918c5767487f8a6815a
SHA1a855d3a3e6336ac0508a8099e8ace14680394c36
SHA256643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1
SHA51231c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d
-
Filesize
43KB
MD5b2bcd668abf17ee408d232cc636614b2
SHA1c354f941121515536c4f0d9ae49ed1a9b28534b4
SHA256563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99
SHA512ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702
-
Filesize
1KB
MD5456f38fe3b18f0aef97eeb20cdf77335
SHA1a946fcb212d3f090a2d0cb9c6a12684bc291993d
SHA25670018c1a3b8abd19a646fa409e24702d14b0ebca0b17906dfbc2295f302d6404
SHA512f371d799678351ddb3982cb9ef864f9d5ff0f8b15d7ea828da05ef509a11f5e6bb0b828ffb69a4b86dcaf179547e85e0233cb71eb899286a77fd32b130c8010e
-
Filesize
382KB
MD50187882fd5c0b80c0cc1e784d8e40731
SHA1e88f4075bec77757f9974368a59e495990d5e2f0
SHA2568591ad8805a1282cf5b1a1db15bcc0baf27014590f07b32cbbe6bb01822d784e
SHA5127c18130050e9cb9293bab366098d29ef948bf3a2e6362fa40c5b0c8fa45e19008026f8cdf65bff74ec464a933b4a41622f0ab891e9f953ab33e7d689b1f5adc9
-
Filesize
5KB
MD59384f4007c492d4fa040924f31c00166
SHA1aba37faef30d7c445584c688a0b5638f5db31c7b
SHA25660a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA51268f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
Filesize
1.5MB
MD5a9ea3f61a57b36cde9953afd91f18d34
SHA1e7e931b96b6e39b64a2a38d704bbe9561a234cbc
SHA256accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec
SHA5120a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc