Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

00bc3e42ba...18.exe

windows7-x64

10

00bc3e42ba...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 09:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe

  • Size

    615KB

  • MD5

    00bc3e42bad28bd8508e95e67b6f0a90

  • SHA1

    2ce0166a482a6ff85d6c1f306714f70c1fb14a6b

  • SHA256

    ce397ff6d45374de3ca73d6e1a7ae4d1dd903ca06ef29c8206ca81032c8e1a25

  • SHA512

    17c9c4a5a763839880a3da6ca6ac27d8ceb07040b6be95896b4c421e621a04ae9679d6fa483a825ac06edcd3f176f738d01d11b4681a86d6941f9addd929ad79

  • SSDEEP

    12288:GwYPeuehyGRqLTV1ci9sPSMafQwusbquYclnc7Uyo:GwuewGgLTIi6paIw1+Acy

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\00bc3e42bad28bd8508e95e67b6f0a90_JaffaCakes118.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
      "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3904
      • C:\Windows\SysWOW64\28463\GYEQ.exe
        "C:\Windows\system32\28463\GYEQ.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\jI82l\PCGWIN32.LI5
    Filesize

    2KB

    MD5

    7536d4ca533cee91f19234a844be025c

    SHA1

    30b9619fbd9ebecb98f2bd33add79b5b8c136f9f

    SHA256

    d87d87ed676763a96ffb968aba4acda8bf5ff68697de8bd8521932d29b37cb32

    SHA512

    67f1da3d86cf2c52e2ed0da01ed9553a86cd4795b51cb491136c7ab0ea62d5d12d06ab0f688803c94020ae083f2ab61c3f809e182a9dc822f7e04c69852e7570

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\@BA76.tmp
    Filesize

    4KB

    MD5

    27092ec75c1839f36bfe900a38acc484

    SHA1

    fe14b750a0ed653246c5f358891f8c1241913bb2

    SHA256

    e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07

    SHA512

    815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
    Filesize

    503KB

    MD5

    dfd36b5381c2498adbb63582f0b46985

    SHA1

    ff7fae9bcb89fe0390726a0e905c20a559ceb54c

    SHA256

    466be1008e6f2b3c269bff754adb04d83a8502111c5bddee6543e4cf36e9bdb5

    SHA512

    27aa585383b2e01eb5e6167d7257500ba1951d32fdb30e97f012af000e54aec3ec54e051f1ea580f9ebb89e76ac5765fc5a8168e59183aa0038e84c58ae2f1e1

    Download Submit

  • C:\Windows\SysWOW64\28463\AKV.exe
    Filesize

    394KB

    MD5

    b87e2e56dbf34fb12705317f4d361c12

    SHA1

    3b4a6c2fddaab9f71747437c60dc7ad85661b4fa

    SHA256

    1ed5873542484a3f4c898de6684fc04bc0929e4fc795cd09b4b86f17e817d85a

    SHA512

    9d1bf05a200efda561f3141d3a4c70a347ba2a64fbfb5fb9b432956660b4aabc492f93fa50ba1928a3c408ec048c357a50cb79d12ba6200b28b1aeb98dbc39a0

    Download Submit

  • C:\Windows\SysWOW64\28463\GYEQ.001
    Filesize

    430B

    MD5

    7ae64157546199c567ce2a038db34321

    SHA1

    754fa02b788bfa2d183c24e3aa213792c8919b1f

    SHA256

    cd81210dbe72116d7a3225f07eb26191b9d81c3676e4385121b3ce23852d5969

    SHA512

    35342c25ac9f9cc8b1042efc5bb9853c3467fc8b58a11524e3cc10e075cd4821c454cd5c1803852dc23e087b03182debd439754a4ab4b359f7b6a2f8087436b0

    Download Submit

  • C:\Windows\SysWOW64\28463\GYEQ.006
    Filesize

    8KB

    MD5

    aae8ccee5d5eed5748d13f474123efea

    SHA1

    6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

    SHA256

    10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

    SHA512

    d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

    Download Submit

  • C:\Windows\SysWOW64\28463\GYEQ.007
    Filesize

    5KB

    MD5

    40685d22d05d92462a2cfc1bba9a81b7

    SHA1

    f0e19012d0ed000148898b1e1264736bed438da8

    SHA256

    cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0

    SHA512

    21961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b

    Download Submit

  • C:\Windows\SysWOW64\28463\GYEQ.exe
    Filesize

    473KB

    MD5

    339ae4ce820cda75bbb363b2ed1c06fd

    SHA1

    62399c6102cc98ed66cbcd88a63ff870cf7b2100

    SHA256

    1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

    SHA512

    5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

    Download Submit

  • memory/1992-49-0x0000000000680000-0x0000000000681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1992-53-0x0000000000680000-0x0000000000681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3580-0-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3580-25-0x0000000002160000-0x0000000002177000-memory.dmp

    Filesize

    92KB

    Download

  • memory/3580-24-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3580-1-0x0000000002160000-0x0000000002177000-memory.dmp

    Filesize

    92KB

    Download