Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 20:13

General

  • Target

    0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe

  • Size

    196KB

  • MD5

    0c4d69452fe818fd0117ec239c2943eb

  • SHA1

    72db664da6857c647dbe32501d94c0ee38afcdec

  • SHA256

    125d86f0d7cd8c22d44f3f7c5cc02ad658aace1243be5b85af2fe7a211f711a4

  • SHA512

    fa5a57ed9f4e8f914283aa34526ed4ced1361c0f82bf3ca9f6ca351eabe3788afa59ac6ffd79d06c9815385050cefe6fe0dbf2202f5f27488623d99f03da71ac

  • SSDEEP

    3072:7zCNmpyGzKOrzdZj+xYo0+DUmKXSmm6hoiHJZS75tkAPaWWOc62j14E:7smpyGjrzd9Z+bKfmWXrS7rVPaWlcKE

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0c4d69452fe818fd0117ec239c2943eb_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\SysWOW64\Sys\HJB.exe
      "C:\Windows\system32\Sys\HJB.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Sys\HJB.001

    Filesize

    2KB

    MD5

    e8fe6fe4a5e3b52319702a250d1c2bf1

    SHA1

    aaedc44abbc7a39e8de9f0aafadc3d723828bb4e

    SHA256

    8c300e587eb9af3498b8f2cf1bc5a1620c1bd8e1d542261656112bb75295006d

    SHA512

    40ccc6ee78e480d7e4f5d0522feda43c3d7b9c2bbc7037f185df699f61532c760575d441c9da52b1a1cc29f99e76b0ed0e967717bd40a8734918d257bc2afb18

  • C:\Windows\SysWOW64\Sys\HJB.006

    Filesize

    5KB

    MD5

    74caf5b74ba47e2856c0ec7328772622

    SHA1

    4a542a3c8d7a5ae626d84698202c482a9d340525

    SHA256

    ca4e77e8c938dd7516b6869542b836072870e80d28e49fd6bf3f8818ade1fa05

    SHA512

    d179d5052873061a1cda91918ccbc5013c510683addc65c319bd663e5faa451fdbe3a4b1b412c9b91990b60c891b33b358d2b146b97c0f146f153e54ebb3c8cc

  • C:\Windows\SysWOW64\Sys\HJB.007

    Filesize

    4KB

    MD5

    40987586e4cc322efcc1945e3cabfff9

    SHA1

    0a70fa4a9c33cdd2e3b1b406b26105d0bbdf5405

    SHA256

    5d0cf6ca55aff3dfc11b43e7dc193cfa337be2da785acb20d185b9d0f8a552c7

    SHA512

    218fa37041b8191d84835d348b9671f6dbb05acdee0b6cec295e388ffd5f175979211a2f09d30c7fc5754847479a0c828ca308934229fdbd21fdaaac1162b45a

  • \Users\Admin\AppData\Local\Temp\@D8D2.tmp

    Filesize

    4KB

    MD5

    3cd32c2807889a8670908c19babf58a3

    SHA1

    08e7dbf58a06536a9bd1f09154db8cbc3d2b94d2

    SHA256

    d1cb352518d223ce610287f4538968a362c0ffd018c6978758daaeb09730ad1e

    SHA512

    1d0b6fb389aa9bd14fda66faec228771ca6f8d10e76f4fa9712df768dd66158e3d338d1560637496f932f2b8200d739e26f65f8d0cb93466edd396130cc97fef

  • \Windows\SysWOW64\Sys\HJB.exe

    Filesize

    298KB

    MD5

    2d7c66e3bd54bbe29b6510fd413e845c

    SHA1

    0e0d5956298d2cfee29697600ada8064afa1d17a

    SHA256

    2452b71820e2e1c1c4a9b8250349df71106e520b25a531c81df54412d3c1335f

    SHA512

    ffe5dad0472bf07b570aec36707632eb13d71aa8e0434ac47bcdeb5c7e92b6a02689136274c020f9d5eb7a6e0ea34e141368fb17e14b83af3c0a280b12ae906d

  • memory/2908-22-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

  • memory/2908-25-0x000000007762F000-0x0000000077630000-memory.dmp

    Filesize

    4KB

  • memory/2908-26-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB