Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/09/2024, 18:23

General

  • Target

    d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe

  • Size

    657KB

  • MD5

    d8cab9f0e1d8aa81e904fd511fd4db06

  • SHA1

    c8f507e1184466db73e15d1ad73328b3a747c026

  • SHA256

    3d99f295aeceacdb62e59c0728e3348f94a4261a1accbe672e3d04c9d7e2365a

  • SHA512

    c0e094690be06e12937bd9b3279169864cf9066cd9b18449d36151a9704d13fa0c5caeb675358c1abcf1d78fc7431651a1b0211b1534a0333736ec5c7095450a

  • SSDEEP

    12288:Cl2YX3TdtLW5WIj1YSSdFxsBSXyMzBUWb9lx/9AgHLo8OW+rBj:CkcDsj1dEcBcJ9nPx/igrp+1

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Renames multiple (216) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 2 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1592
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4596
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7F61.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Users\Admin\AppData\Local\Temp\d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Disables RegEdit via registry modification
            • Executes dropped EXE
            • Adds Run key to start application
            • Enumerates connected drives
            • Drops file in System32 directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3984
            • C:\Windows\SysWOW64\28463\svchost.exe
              C:\Windows\system32\28463\svchost.exe
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2192
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /C AT /delete /yes
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1868
              • C:\Windows\SysWOW64\at.exe
                AT /delete /yes
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1356
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\svchost .exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3644
              • C:\Windows\SysWOW64\at.exe
                AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\svchost .exe
                6⤵
                • System Location Discovery: System Language Discovery
                PID:8
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4508
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3736
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2616
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:976
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\7z.exe.Exe

      Filesize

      598KB

      MD5

      fc105fe20ce7de74e2e70cc75609641d

      SHA1

      b0fb4e85aa39ddde22dc6b74d293b52829bf3a88

      SHA256

      da10d63d0cf739b0e15ed22c3d5b809d7eb60b3726473a8b6b962739318ef11c

      SHA512

      b178a0c6fa3e1153ec0b5064f782bbcc71ab1607c4ea1e6df1d258f41be31b2d5198485c945c07cb6ce6ab76b3844900193c10546967403945b8dc55bc8add14

    • C:\Users\Admin\AppData\Local\Temp\$$a7F61.bat

      Filesize

      614B

      MD5

      7c6f42bccb345c62dcfd66b522f3a1c2

      SHA1

      f81c07405bc958763f5293a0264fc2b303212058

      SHA256

      5540c663f34e48d090eba6a7c47f541c513bfc014de250d7a484f50938ffe979

      SHA512

      dbc70fada82ee5a6a4cef4dc0370d7ab1a053c7a97b7864a1564b7a10a2c1a268771486d1783bc85a468bcea8229bc6ad30089561fa752f855860b3cc35c67f1

    • C:\Users\Admin\AppData\Local\Temp\d8cab9f0e1d8aa81e904fd511fd4db06_JaffaCakes118.exe.exe

      Filesize

      602KB

      MD5

      ad98a35fa9b7808c3ec9008d628cff27

      SHA1

      fc6c9b0e9a9d0fb6f59165564331045fd12ff7f5

      SHA256

      ba4f73899cc8cb4b8fcc97eff5cb0d1f4ec6fd60c2de6ed57f1d40dc9fd0f28a

      SHA512

      27de9feded864d1d9fb1b261e559751a31b897de555ebcda384d96102ee9991bdaa6c7ad691b958e9120e8098b715a43c3cac2131e4938a428c0e75ef669c2f6

    • C:\Windows\Logo1_.exe

      Filesize

      54KB

      MD5

      68d9f79334a728b64d4fb7118ca9ed44

      SHA1

      68fd2b791a55cfc8ae6a59fd0c710016e7ddae68

      SHA256

      cd5d6a9067696241fc09aed06561bf2f57ec3a7547e06a0924b1e1e68279b783

      SHA512

      e9859b0a6f8ce15c9935a7b2f68087f0347ce19ea58eb31f31e697889a14a43ec5547649c1ad085adecdb5cb78fa35514e47653a341240c0fd20aa8970bbce58

    • C:\Windows\SysWOW64\28463\svchost.001

      Filesize

      2KB

      MD5

      c427f41a9eb12166c278da8fed8a0c4a

      SHA1

      e0e1d1c8f6b58675a544f1461997cfc37a2e6c63

      SHA256

      ee74d1ba7e74e916f57ac4134aa5aa6eb7f920e7dae3b4cdb75af9225da616c6

      SHA512

      ea2e49983e04afaa0eec5b28eeed1e9c804326b49933e69962805c10a405cb7dd87061e50355f395e74107cb6ca674d4c8c0000ef13505ec58b1d7dec873aa85

    • C:\Windows\SysWOW64\28463\svchost.exe

      Filesize

      513KB

      MD5

      0c7a714b8e1d2ead2afc90dcc43bbe18

      SHA1

      66736613f22771f5da5606ed8c80b572b3f5c103

      SHA256

      800bdf00e09f302a17e22d26dffbea037e3c077ef9f6d1d585c114f079397a9e

      SHA512

      35db0de86c168eb6302dcbaa1e1f9ec96b5a8814e7067e1a7bb682e9f35fc06c51148a08e6f7df1e8caeb2effde555c53966a8922e8fef6b7ce194dc81c984b4

    • C:\Windows\SysWOW64\setting.ini

      Filesize

      2B

      MD5

      e0aa021e21dddbd6d8cecec71e9cf564

      SHA1

      9ce3bd4224c8c1780db56b4125ecf3f24bf748b7

      SHA256

      565339bc4d33d72817b583024112eb7f5cdf3e5eef0252d6ec1b9c9a94e12bb3

      SHA512

      900110c951560eff857b440e89cc29f529416e0e3b3d7f0ad51651bfdbd8025b91768c5ed7db5352d1a5523354ce06ced2c42047e33a3e958a1bba5f742db874

    • C:\Windows\SysWOW64\setup.ini

      Filesize

      96B

      MD5

      9ece103c47335f0cc777f1132b8d522f

      SHA1

      63afa171c64f86d99db81723e1335e960e85fa43

      SHA256

      69815d4932ddde240ce6b1353305d2fab58ca402e9c478452c8e37ce8a7b2ac9

      SHA512

      b1ac64c71c6338bf0ab33df938128822da680f20d0552edb2edb808f1c75bafb88467412fc8dc60ed8022a1f0c4f3fcbecb69a320ec871b3a766482f32d6eb05

    • C:\Windows\system32\drivers\etc\hosts

      Filesize

      842B

      MD5

      6f4adf207ef402d9ef40c6aa52ffd245

      SHA1

      4b05b495619c643f02e278dede8f5b1392555a57

      SHA256

      d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

      SHA512

      a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

    • memory/2156-1-0x0000000000510000-0x0000000000530000-memory.dmp

      Filesize

      128KB

    • memory/2156-12-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2156-0-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/3984-74-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-827-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-837-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-836-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-835-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-75-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-76-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-834-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-756-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-18-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-828-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-829-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-830-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-831-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-832-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/3984-833-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

    • memory/4508-14-0x0000000000510000-0x0000000000550000-memory.dmp

      Filesize

      256KB

    • memory/4508-10-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/4508-73-0x0000000000510000-0x0000000000550000-memory.dmp

      Filesize

      256KB

    • memory/4508-72-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB