Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

fe396ab6c1...18.exe

windows7-x64

10

fe396ab6c1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe396ab6c1ad631330e75ba662f51525_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    fe396ab6c1ad631330e75ba662f51525

  • SHA1

    ad01126d540379ec35be64fe973199da2a848fdf

  • SHA256

    f740547db44521211b8f5fdaf267243e45004c2315e4bc7c84a165d9d3aeaa43

  • SHA512

    aa0c071455be41abcc4250bdc57197616e49c9f940dfceeb6eee48ec41e14c65c6713916b71722f4869c99f68301718df7a061ecc6f6bd4fd4a07bc60b90f7c8

  • SSDEEP

    24576:zk/AToBLnzLwnQV7CXLugQE2TwaaJhLECJAnfUzrqE0N:YoTWp7GLTl2Ea0ECenf6rP

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe396ab6c1ad631330e75ba662f51525_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe396ab6c1ad631330e75ba662f51525_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Windows\SysWOW64\WTWOVR\XNT.exe
      "C:\Windows\system32\WTWOVR\XNT.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3120
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\WTWOVR\XNT.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2212
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Rate Request Form.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Rate Request Form.doc
    Filesize

    50KB

    MD5

    c1d1a2b6935173aabb4040c6649e65b0

    SHA1

    5c4dd25a741d45c8120aef127078d8c421141f36

    SHA256

    be4a82009588293b98034115ba3993125a5ff417eea9b36073c97fd3b9d34a57

    SHA512

    d2df057074238465724f64b985e0c90bd4a0e0338c88d6096a0ec98bad7748c957b9ef2f24ddd75b49cbe64bba2c65e1f5a696d330f06d16cc79fc24e8b0a06f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDFC07.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    4KB

    MD5

    fc9fcea9dbcc6bb6ba574e60cec49fc1

    SHA1

    ca46cbd1e19790e4bcbe4f7a70ce4edf7fd354c5

    SHA256

    783957df6b1a4cfa77fcd9044c5ed48d76c4b7239a332ce1378df936997e727f

    SHA512

    3487403a4ff0997c236b5e11f76f0bf4efe549bf1791dd4178c871b6b5460fc5707ab390f942f33d1bec9c712547a0ce12fd3b1e7e156df73bcb69717b5b6f53

    Download Submit

  • C:\Windows\SysWOW64\WTWOVR\AKV.exe
    Filesize

    463KB

    MD5

    eb916da4abe4ff314662089013c8f832

    SHA1

    1e7e611cc6922a2851bcf135806ab51cdb499efa

    SHA256

    96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061

    SHA512

    d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

    Download Submit

  • C:\Windows\SysWOW64\WTWOVR\XNT.001
    Filesize

    61KB

    MD5

    425ff37c76030ca0eb60321eedd4afdd

    SHA1

    7dde5e9ce5c4057d3db149f323fa43ed29d90e09

    SHA256

    70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24

    SHA512

    ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

    Download Submit

  • C:\Windows\SysWOW64\WTWOVR\XNT.002
    Filesize

    43KB

    MD5

    12fb4f589942682a478b7c7881dfcba2

    SHA1

    a3d490c6cda965708a1ff6a0dc4e88037e0d6336

    SHA256

    4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d

    SHA512

    dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

    Download Submit

  • C:\Windows\SysWOW64\WTWOVR\XNT.004
    Filesize

    1KB

    MD5

    f9d31f49ab0caccf0411c20b816733f9

    SHA1

    1f66a21c6b22443b78056b285cc928fe226a5d77

    SHA256

    11e3b99df50c624a793611625a5cdba638d6ffdcddf3b8515a2d2bbb2ebfbfd0

    SHA512

    4e713438948d30a1720e36a214c2a5cd50a1336933a458ad75fc76a819167b83b0688eaf929a1f8c6c9cf14ce6df2b61e8b3b4b941653b99fb2d0edbb9bc3c3d

    Download Submit

  • C:\Windows\SysWOW64\WTWOVR\XNT.exe
    Filesize

    1.5MB

    MD5

    f8530f0dfe90c7c1e20239b0a7643041

    SHA1

    3e0208ab84b8444a69c8d62ad0b81c4186395802

    SHA256

    734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4

    SHA512

    5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

    Download Submit

  • memory/1068-41-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-49-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-29-0x00007FF8680B0000-0x00007FF8680C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1068-31-0x00007FF8680B0000-0x00007FF8680C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1068-35-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-37-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-36-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-32-0x00007FF8680B0000-0x00007FF8680C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1068-34-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-33-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-38-0x00007FF865800000-0x00007FF865810000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1068-39-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-28-0x00007FF8A80CD000-0x00007FF8A80CE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1068-40-0x00007FF865800000-0x00007FF865810000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1068-42-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-44-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-48-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-30-0x00007FF8680B0000-0x00007FF8680C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1068-47-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-46-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-45-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-43-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-214-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-63-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-64-0x00007FF8A80CD000-0x00007FF8A80CE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1068-65-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-66-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1068-27-0x00007FF8680B0000-0x00007FF8680C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1068-212-0x00007FF8680B0000-0x00007FF8680C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1068-211-0x00007FF8680B0000-0x00007FF8680C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1068-210-0x00007FF8680B0000-0x00007FF8680C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1068-213-0x00007FF8680B0000-0x00007FF8680C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3120-17-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3120-62-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

    Filesize

    4KB

    Download