Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 09:56

General

  • Target

    00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe

  • Size

    615KB

  • MD5

    00bc3e42bad28bd8508e95e67b6f0a90

  • SHA1

    2ce0166a482a6ff85d6c1f306714f70c1fb14a6b

  • SHA256

    ce397ff6d45374de3ca73d6e1a7ae4d1dd903ca06ef29c8206ca81032c8e1a25

  • SHA512

    17c9c4a5a763839880a3da6ca6ac27d8ceb07040b6be95896b4c421e621a04ae9679d6fa483a825ac06edcd3f176f738d01d11b4681a86d6941f9addd929ad79

  • SSDEEP

    12288:GwYPeuehyGRqLTV1ci9sPSMafQwusbquYclnc7Uyo:GwuewGgLTIi6paIw1+Acy

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe"
    1⤵
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
      "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\28463\GYEQ.exe
        "C:\Windows\system32\28463\GYEQ.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\jI82l\PCGWIN32.LI5

    Filesize

    2KB

    MD5

    594d97fe0213bd6d9a02ff1cc2d89354

    SHA1

    0d725b718e25d8513e575051b6ef41c421b7145c

    SHA256

    e00f9ecf3a82bbafce8845dcfd169eccf2b6194e9a1ade337e1354a2f830f15f

    SHA512

    afcc5a8c08d9347f505344560f2e0570f973a1b2bf23d6232c610b0d8fe56e12237fae61dac61bad5767ec64c96032fa40feac0667d26576865cc9d54d418187

  • C:\Windows\SysWOW64\28463\AKV.exe

    Filesize

    394KB

    MD5

    b87e2e56dbf34fb12705317f4d361c12

    SHA1

    3b4a6c2fddaab9f71747437c60dc7ad85661b4fa

    SHA256

    1ed5873542484a3f4c898de6684fc04bc0929e4fc795cd09b4b86f17e817d85a

    SHA512

    9d1bf05a200efda561f3141d3a4c70a347ba2a64fbfb5fb9b432956660b4aabc492f93fa50ba1928a3c408ec048c357a50cb79d12ba6200b28b1aeb98dbc39a0

  • C:\Windows\SysWOW64\28463\GYEQ.001

    Filesize

    430B

    MD5

    7ae64157546199c567ce2a038db34321

    SHA1

    754fa02b788bfa2d183c24e3aa213792c8919b1f

    SHA256

    cd81210dbe72116d7a3225f07eb26191b9d81c3676e4385121b3ce23852d5969

    SHA512

    35342c25ac9f9cc8b1042efc5bb9853c3467fc8b58a11524e3cc10e075cd4821c454cd5c1803852dc23e087b03182debd439754a4ab4b359f7b6a2f8087436b0

  • C:\Windows\SysWOW64\28463\GYEQ.006

    Filesize

    8KB

    MD5

    aae8ccee5d5eed5748d13f474123efea

    SHA1

    6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

    SHA256

    10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

    SHA512

    d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

  • C:\Windows\SysWOW64\28463\GYEQ.007

    Filesize

    5KB

    MD5

    40685d22d05d92462a2cfc1bba9a81b7

    SHA1

    f0e19012d0ed000148898b1e1264736bed438da8

    SHA256

    cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0

    SHA512

    21961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b

  • \Users\Admin\AppData\Local\Temp\@7281.tmp

    Filesize

    4KB

    MD5

    27092ec75c1839f36bfe900a38acc484

    SHA1

    fe14b750a0ed653246c5f358891f8c1241913bb2

    SHA256

    e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07

    SHA512

    815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b

  • \Users\Admin\AppData\Local\Temp\Exporer32.exe

    Filesize

    503KB

    MD5

    dfd36b5381c2498adbb63582f0b46985

    SHA1

    ff7fae9bcb89fe0390726a0e905c20a559ceb54c

    SHA256

    466be1008e6f2b3c269bff754adb04d83a8502111c5bddee6543e4cf36e9bdb5

    SHA512

    27aa585383b2e01eb5e6167d7257500ba1951d32fdb30e97f012af000e54aec3ec54e051f1ea580f9ebb89e76ac5765fc5a8168e59183aa0038e84c58ae2f1e1

  • \Windows\SysWOW64\28463\GYEQ.exe

    Filesize

    473KB

    MD5

    339ae4ce820cda75bbb363b2ed1c06fd

    SHA1

    62399c6102cc98ed66cbcd88a63ff870cf7b2100

    SHA256

    1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

    SHA512

    5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

  • memory/2596-52-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

  • memory/2596-55-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

  • memory/2792-0-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2792-26-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2792-27-0x00000000002A0000-0x00000000002B7000-memory.dmp

    Filesize

    92KB

  • memory/2792-1-0x00000000002A0000-0x00000000002B7000-memory.dmp

    Filesize

    92KB