Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 20:13
Static task
static1
Behavioral task
behavioral1
Sample
0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe
-
Size
196KB
-
MD5
0c4d69452fe818fd0117ec239c2943eb
-
SHA1
72db664da6857c647dbe32501d94c0ee38afcdec
-
SHA256
125d86f0d7cd8c22d44f3f7c5cc02ad658aace1243be5b85af2fe7a211f711a4
-
SHA512
fa5a57ed9f4e8f914283aa34526ed4ced1361c0f82bf3ca9f6ca351eabe3788afa59ac6ffd79d06c9815385050cefe6fe0dbf2202f5f27488623d99f03da71ac
-
SSDEEP
3072:7zCNmpyGzKOrzdZj+xYo0+DUmKXSmm6hoiHJZS75tkAPaWWOc62j14E:7smpyGjrzd9Z+bKfmWXrS7rVPaWlcKE
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0007000000018bf3-9.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 2908 HJB.exe -
Loads dropped DLL 5 IoCs
pid Process 2384 0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe 2384 0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe 2384 0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe 2908 HJB.exe 2908 HJB.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\Sys\HJB.001 0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys\HJB.006 0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys\HJB.007 0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe File created C:\Windows\SysWOW64\Sys\HJB.exe 0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Sys HJB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HJB.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2908 HJB.exe Token: SeIncBasePriorityPrivilege 2908 HJB.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2908 HJB.exe 2908 HJB.exe 2908 HJB.exe 2908 HJB.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2908 2384 0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe 31 PID 2384 wrote to memory of 2908 2384 0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe 31 PID 2384 wrote to memory of 2908 2384 0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe 31 PID 2384 wrote to memory of 2908 2384 0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Sys\HJB.exe"C:\Windows\system32\Sys\HJB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e8fe6fe4a5e3b52319702a250d1c2bf1
SHA1aaedc44abbc7a39e8de9f0aafadc3d723828bb4e
SHA2568c300e587eb9af3498b8f2cf1bc5a1620c1bd8e1d542261656112bb75295006d
SHA51240ccc6ee78e480d7e4f5d0522feda43c3d7b9c2bbc7037f185df699f61532c760575d441c9da52b1a1cc29f99e76b0ed0e967717bd40a8734918d257bc2afb18
-
Filesize
5KB
MD574caf5b74ba47e2856c0ec7328772622
SHA14a542a3c8d7a5ae626d84698202c482a9d340525
SHA256ca4e77e8c938dd7516b6869542b836072870e80d28e49fd6bf3f8818ade1fa05
SHA512d179d5052873061a1cda91918ccbc5013c510683addc65c319bd663e5faa451fdbe3a4b1b412c9b91990b60c891b33b358d2b146b97c0f146f153e54ebb3c8cc
-
Filesize
4KB
MD540987586e4cc322efcc1945e3cabfff9
SHA10a70fa4a9c33cdd2e3b1b406b26105d0bbdf5405
SHA2565d0cf6ca55aff3dfc11b43e7dc193cfa337be2da785acb20d185b9d0f8a552c7
SHA512218fa37041b8191d84835d348b9671f6dbb05acdee0b6cec295e388ffd5f175979211a2f09d30c7fc5754847479a0c828ca308934229fdbd21fdaaac1162b45a
-
Filesize
4KB
MD53cd32c2807889a8670908c19babf58a3
SHA108e7dbf58a06536a9bd1f09154db8cbc3d2b94d2
SHA256d1cb352518d223ce610287f4538968a362c0ffd018c6978758daaeb09730ad1e
SHA5121d0b6fb389aa9bd14fda66faec228771ca6f8d10e76f4fa9712df768dd66158e3d338d1560637496f932f2b8200d739e26f65f8d0cb93466edd396130cc97fef
-
Filesize
298KB
MD52d7c66e3bd54bbe29b6510fd413e845c
SHA10e0d5956298d2cfee29697600ada8064afa1d17a
SHA2562452b71820e2e1c1c4a9b8250349df71106e520b25a531c81df54412d3c1335f
SHA512ffe5dad0472bf07b570aec36707632eb13d71aa8e0434ac47bcdeb5c7e92b6a02689136274c020f9d5eb7a6e0ea34e141368fb17e14b83af3c0a280b12ae906d