Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 05:10
Static task
static1
Behavioral task
behavioral1
Sample
d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
d1264394591171f7aec07628e8cabfb8
-
SHA1
51c128411497aaa60c55fbc20d173c7fcb82ba17
-
SHA256
b5caa1969c3f79397f7d79bb0c4b4996f28e60cb463ac641915a5e6f00e800bf
-
SHA512
b800a52320f4d1098050a3f5bcb52a767833ed0802e7d5cea98ccbd8648f3df00efe5224475625371f3506db83ca1c2e3649d8ff582e7fc64901d14b34dfc603
-
SSDEEP
24576:guNOT9WWYPYIRuPR2C4/3bf7S8wqRsJNWlHznWCliYatKwTOkwfZHuDcJ:gucTQW4lWAzfwasJYpyO5xHu
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x00070000000234d1-8.dat family_ardamax -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation BVN.exe -
Executes dropped EXE 1 IoCs
pid Process 1040 BVN.exe -
Loads dropped DLL 1 IoCs
pid Process 1040 BVN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BVN Start = "C:\\Windows\\SysWOW64\\GCAKTL\\BVN.exe" BVN.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\GCAKTL\AKV.exe d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe File created C:\Windows\SysWOW64\GCAKTL\BVN.exe d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\GCAKTL\ BVN.exe File created C:\Windows\SysWOW64\GCAKTL\BVN.004 d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe File created C:\Windows\SysWOW64\GCAKTL\BVN.001 d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe File created C:\Windows\SysWOW64\GCAKTL\BVN.002 d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BVN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1040 BVN.exe 1040 BVN.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 1040 BVN.exe Token: SeIncBasePriorityPrivilege 1040 BVN.exe Token: SeIncBasePriorityPrivilege 1040 BVN.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1040 BVN.exe 1040 BVN.exe 1040 BVN.exe 1040 BVN.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5084 wrote to memory of 1040 5084 d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe 83 PID 5084 wrote to memory of 1040 5084 d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe 83 PID 5084 wrote to memory of 1040 5084 d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe 83 PID 1040 wrote to memory of 3564 1040 BVN.exe 95 PID 1040 wrote to memory of 3564 1040 BVN.exe 95 PID 1040 wrote to memory of 3564 1040 BVN.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1264394591171f7aec07628e8cabfb8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\GCAKTL\BVN.exe"C:\Windows\system32\GCAKTL\BVN.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\GCAKTL\BVN.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:3564
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
487KB
MD5eb9f503f6859a5161bcb9aeac042ceab
SHA1d46039f98020e296bbd6455c834c6299528c821b
SHA25651fc5b6f1711fd6b4b5945d935d37f57609eafa68d865c1ec1464b0ab221830c
SHA512fa034d6292e0c16bb4958f1efe2b51577db99df6ccdb2223ba3fee4bab1796a5d4fa37667c077296da22e4c67d39ae0667a428f774aa2d5d3c7750a28320d33d
-
Filesize
61KB
MD52666d675f8905ce58b7e961ffbfe8f61
SHA1afa6625a916d27da14a591feba03352b2afb91cc
SHA2561594c6986d0e4339825e2c812791c54c912d8358a76b6058da0bf6bba5f5c697
SHA51281193afcb9406ea906db628ae434f576b6e4e2959674902cf8c2b11f5c7007b384a8e0385a6889637506f289d4849dd8dcb32dee9302363834333ef7813a2778
-
Filesize
44KB
MD552f41f282445a7a75238c2bf31ff7b7d
SHA15b5c5eb4066e2c583137dff7e1333b89640514a7
SHA2563a9e12f314bf9b5f043f3f05556b244a7ba244d3625f8adbd9cb59e9385ac4f3
SHA512bc6e2959be659a86a2de4bb1dbae8171a6b02e39fd98e948c1c40e96e101e73af274e6ceb590fd5aa5e5cb558e8e80fb79aac0162cdc2266ab1b173bda419107
-
Filesize
1KB
MD5bfae0c1e1a74b658a8af46db7cc8ccff
SHA1b4dab36bf3dbee4b50df053d15855c5d5d4870d6
SHA256d177ea0c6c9bc32640b94f1975661f6f25f8cf5dd79f397ffcd224ec81287df3
SHA51297362ded536c6147c319c8a0be65a8e0a5bc8b4cde32b9320118bb14b5708432aeee8df581ca8250ba55fb6289b965659242eac85f353aac9876a4fe6939653d
-
Filesize
1.7MB
MD568c19411dc10799efff9cfdb1dfa6ea3
SHA1b337a16ee1a383ff4406fdaf65816f67174a6ec6
SHA256a8565859541d680f0d8c74acdc0e0fee438de817785f4f596e470bdbefca0855
SHA51216a2d576df4a24fa7f973e8e588f8cc79281d03343510344e6ef4ff8e3903e3a7751f38ef4f1c9fa2f8bdfaf3181b4fecae6905833df861c98e5b7b993a429d3