Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 09:56
Static task
static1
Behavioral task
behavioral1
Sample
00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe
Resource
win10v2004-20240910-en
General
-
Target
00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe
-
Size
615KB
-
MD5
00bc3e42bad28bd8508e95e67b6f0a90
-
SHA1
2ce0166a482a6ff85d6c1f306714f70c1fb14a6b
-
SHA256
ce397ff6d45374de3ca73d6e1a7ae4d1dd903ca06ef29c8206ca81032c8e1a25
-
SHA512
17c9c4a5a763839880a3da6ca6ac27d8ceb07040b6be95896b4c421e621a04ae9679d6fa483a825ac06edcd3f176f738d01d11b4681a86d6941f9addd929ad79
-
SSDEEP
12288:GwYPeuehyGRqLTV1ci9sPSMafQwusbquYclnc7Uyo:GwuewGgLTIi6paIw1+Acy
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0008000000017047-37.dat family_ardamax -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2812 Exporer32.exe 2596 GYEQ.exe -
Loads dropped DLL 7 IoCs
pid Process 2792 00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe 2792 00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe 2812 Exporer32.exe 2812 Exporer32.exe 2812 Exporer32.exe 2596 GYEQ.exe 2596 GYEQ.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GYEQ Agent = "C:\\Windows\\SysWOW64\\28463\\GYEQ.exe" GYEQ.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\28463\GYEQ.006 Exporer32.exe File created C:\Windows\SysWOW64\28463\GYEQ.007 Exporer32.exe File created C:\Windows\SysWOW64\28463\GYEQ.exe Exporer32.exe File created C:\Windows\SysWOW64\28463\AKV.exe Exporer32.exe File opened for modification C:\Windows\SysWOW64\28463 GYEQ.exe File created C:\Windows\SysWOW64\28463\GYEQ.001 Exporer32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Exporer32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GYEQ.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2596 GYEQ.exe Token: SeIncBasePriorityPrivilege 2596 GYEQ.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2792 00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe 2596 GYEQ.exe 2596 GYEQ.exe 2596 GYEQ.exe 2596 GYEQ.exe 2596 GYEQ.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2812 2792 00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe 30 PID 2792 wrote to memory of 2812 2792 00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe 30 PID 2792 wrote to memory of 2812 2792 00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe 30 PID 2792 wrote to memory of 2812 2792 00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe 30 PID 2812 wrote to memory of 2596 2812 Exporer32.exe 31 PID 2812 wrote to memory of 2596 2812 Exporer32.exe 31 PID 2812 wrote to memory of 2596 2812 Exporer32.exe 31 PID 2812 wrote to memory of 2596 2812 Exporer32.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\28463\GYEQ.exe"C:\Windows\system32\28463\GYEQ.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5594d97fe0213bd6d9a02ff1cc2d89354
SHA10d725b718e25d8513e575051b6ef41c421b7145c
SHA256e00f9ecf3a82bbafce8845dcfd169eccf2b6194e9a1ade337e1354a2f830f15f
SHA512afcc5a8c08d9347f505344560f2e0570f973a1b2bf23d6232c610b0d8fe56e12237fae61dac61bad5767ec64c96032fa40feac0667d26576865cc9d54d418187
-
Filesize
394KB
MD5b87e2e56dbf34fb12705317f4d361c12
SHA13b4a6c2fddaab9f71747437c60dc7ad85661b4fa
SHA2561ed5873542484a3f4c898de6684fc04bc0929e4fc795cd09b4b86f17e817d85a
SHA5129d1bf05a200efda561f3141d3a4c70a347ba2a64fbfb5fb9b432956660b4aabc492f93fa50ba1928a3c408ec048c357a50cb79d12ba6200b28b1aeb98dbc39a0
-
Filesize
430B
MD57ae64157546199c567ce2a038db34321
SHA1754fa02b788bfa2d183c24e3aa213792c8919b1f
SHA256cd81210dbe72116d7a3225f07eb26191b9d81c3676e4385121b3ce23852d5969
SHA51235342c25ac9f9cc8b1042efc5bb9853c3467fc8b58a11524e3cc10e075cd4821c454cd5c1803852dc23e087b03182debd439754a4ab4b359f7b6a2f8087436b0
-
Filesize
8KB
MD5aae8ccee5d5eed5748d13f474123efea
SHA16da78da4de3b99a55fad00be2ec53a3ad3bd06ae
SHA25610c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8
SHA512d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd
-
Filesize
5KB
MD540685d22d05d92462a2cfc1bba9a81b7
SHA1f0e19012d0ed000148898b1e1264736bed438da8
SHA256cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0
SHA51221961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b
-
Filesize
4KB
MD527092ec75c1839f36bfe900a38acc484
SHA1fe14b750a0ed653246c5f358891f8c1241913bb2
SHA256e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07
SHA512815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b
-
Filesize
503KB
MD5dfd36b5381c2498adbb63582f0b46985
SHA1ff7fae9bcb89fe0390726a0e905c20a559ceb54c
SHA256466be1008e6f2b3c269bff754adb04d83a8502111c5bddee6543e4cf36e9bdb5
SHA51227aa585383b2e01eb5e6167d7257500ba1951d32fdb30e97f012af000e54aec3ec54e051f1ea580f9ebb89e76ac5765fc5a8168e59183aa0038e84c58ae2f1e1
-
Filesize
473KB
MD5339ae4ce820cda75bbb363b2ed1c06fd
SHA162399c6102cc98ed66cbcd88a63ff870cf7b2100
SHA2561e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6
SHA5125da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a