Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30/09/2024, 15:37

General

  • Target

    021747066f9e052f90782827a2be2b5b_JaffaCakes118.exe

  • Size

    520KB

  • MD5

    021747066f9e052f90782827a2be2b5b

  • SHA1

    78c23045de2babc50d435ae412950ea505e2e6fe

  • SHA256

    db1263b169d2c287892cfb29e1e5d45452dd510cde2aef312aeb3766b01141fa

  • SHA512

    0aa6249d52a58bddcaae81766337f2392904a8b3443dc91472834344fed078c82fd01fbb5eaf4f04830e54d884bf09842b8aceadf27a050cd2f2623e62035120

  • SSDEEP

    12288:bFZzJQlN07E+XzREERZFMv0qIf0RK6BLPYt2IfNyRLvEFDLUJVd:57s07hXzR1XILlIfNyB11

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\021747066f9e052f90782827a2be2b5b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\021747066f9e052f90782827a2be2b5b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\SysWOW64\Sys\XTHT.exe
      "C:\Windows\system32\Sys\XTHT.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3016
    • C:\Users\Admin\AppData\Local\Temp\Undy Creator.exe
      "C:\Users\Admin\AppData\Local\Temp\Undy Creator.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabD25E.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarD30D.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\SysWOW64\Sys\AKV.exe

    Filesize

    390KB

    MD5

    5255e3bd1037d42bbba2365412623a3b

    SHA1

    b473061ee152172ba5e33cae18f55774467a070f

    SHA256

    8e7e780b484bf5a5edce3dbdee2374ace11214b122560146b5859d8359c93655

    SHA512

    86af1d593b480622dcb4835d5f10045452eb20a01a04eba13734fd5bfec2515321072747c8fd4c95714022058e891f7cd55efee00b95d7e51c845aaabf4a793e

  • C:\Windows\SysWOW64\Sys\XTHT.001

    Filesize

    390B

    MD5

    33a92655a204eb6fb4f472830f2ca8a1

    SHA1

    2fba1e9ebf156c950d8b514d02b67e3152edeeec

    SHA256

    4a967b9e6a14bcf4ae6d6d243df88081a0969eb15841dbacd5a9433a9ee7f8ca

    SHA512

    70ba9a2ce056a6b42a50c4c138122562b97296b7445d05feab72ee02eaf4951a77ef8536a0614785b9d7f947a489e763dcde36a7f8d0d3425b8c74fe080da40e

  • C:\Windows\SysWOW64\Sys\XTHT.004

    Filesize

    15KB

    MD5

    b3d7c450a0e3cd5cb502360df3a246a7

    SHA1

    ee1c25f1def0f12984ab3bc357ac92f3c7929f4c

    SHA256

    d3adf6429f93dc93d2839a74cba69a45d10329d32a8ccb7517bd5c67cda034ed

    SHA512

    13514bd7993b4d3de04f550a33f135483f6d3078408c0d5f098bf5a53ee56833f2f27c9f97f77412bb02cf490b89793c9244a3cf24d940452a1b8951a46576b2

  • C:\Windows\SysWOW64\Sys\XTHT.006

    Filesize

    7KB

    MD5

    385d77949ecf6cfdb4f3d15bf29dfbe4

    SHA1

    09bd106320e68a5a14aeb2a34e4f0a6a627c0d36

    SHA256

    39659a7497354c9329be266683ae28be650b7639bca1def42af5d351e265762c

    SHA512

    b9baea0afb78944080598fc11c5f6c76b3adde37838f4fe3c9371fb9508fea03b7ec6775e9fdc65f39a94103cb061970ea8c51ded113701eede00d4a2fda0db9

  • C:\Windows\SysWOW64\Sys\XTHT.007

    Filesize

    5KB

    MD5

    f50daad1c62b3af9daceddc982d3a28c

    SHA1

    8519625cc16fac60381ea27b3339e62cef15c629

    SHA256

    246af3478a40b10bb54bbfb2aab8fb9965e702836f049dd9db714da8873b42d5

    SHA512

    8451a35d6a037f0224f292baf151e1c367df394bdca0c7c4c90f43c6b275f1f8173af1bf1791005398ca36678b76df3e8e49f51438f9deec86a529a9c81925fc

  • C:\Windows\SysWOW64\Sys\XTHT.chm

    Filesize

    33KB

    MD5

    620939d8d1c2ef290627806c1e22acb3

    SHA1

    43e7ddf293a7aa747312e04087f14b8dfac03e92

    SHA256

    10f182b47bc95accf151a4668705df834b425c28f130b1a1de8cbd6370d1f933

    SHA512

    1041f8835e537c79e0d6b50b509f66c3267de680e64bca68c485394e5e73322d697a59024963c1e4a06ce52df36eee7b9f5e4dc1ebaa37d98dd20accb44c5be7

  • \Users\Admin\AppData\Local\Temp\@A7B4.tmp

    Filesize

    4KB

    MD5

    730e7e458c7770fd80947b6ce9f7109a

    SHA1

    ef07be19ec55590ffce101951d12e7c6c5b7aaca

    SHA256

    70033d7c8520fb53a247b355559c3a156e22719e52cf55102edbbcfabc5ad096

    SHA512

    12f141144761e880af6567048036c7c482e6306158454f4c3a7821c1a5f5526771e3c473ddcc9cbe0860d4e61a5d5f092a59567222d0a995cdd1aeda5667a596

  • \Users\Admin\AppData\Local\Temp\Undy Creator.exe

    Filesize

    28KB

    MD5

    320f01c1429cd8f089ff432083f5e817

    SHA1

    625c978a44282e5676da593d5c0374f875e94d58

    SHA256

    34e116b6d704b6d69c8571455bd1a2b884d85b4ec5c70a872791c8dff8b97c3b

    SHA512

    9009317cb56131ea4924123d30434a0b9632e1bdd2912b9e704330e08cd015309f18eaf85d98f2a90bfbe26d1c9bc64e8297b41368a2ec7e4dfe34ef136f07b7

  • \Windows\SysWOW64\Sys\XTHT.exe

    Filesize

    476KB

    MD5

    b22ecd38fb2828478a5ff60e7a255e16

    SHA1

    078d9e7d975a2769e8c2ad40279e265eff89b033

    SHA256

    c2280b3b99486452228dd51dbd61db2afeb98d3cc5e8e48c5fb314c5af1a913a

    SHA512

    336de2a0a9975a254dad2e87b3c5388e6fd5560fd5d47d0f4f882f216a4e23dc3d8cb894161587d6a1d0d8845fce92589afc41a6db7947de81ffd023764762cd

  • memory/2560-62-0x0000000005180000-0x0000000005592000-memory.dmp

    Filesize

    4.1MB

  • memory/3016-47-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

  • memory/3016-39-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB