Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4961194036...18.exe

windows7-x64

10

4961194036...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 18:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    49611940363b3ade59162fb625e0d7cd

  • SHA1

    4da611cef59a246ab8a29076538e17342a9dbd99

  • SHA256

    b93fee87ce907c8915acc68b08c436f494af40d93e04a2cbfe30808882856e79

  • SHA512

    146a42039700fb51a943def8a3f90d953de57dcb8b9f68b086562ac33e3c4ffd94f8034dde5a4e1b4aae9b7944460fc6a2ad596875960ddf8c0677660283e38a

  • SSDEEP

    24576:ujXTx80EKGKmO3RN0X65argTKFd5+5vegDfE:uDTxzpmO3RHGZS2oE

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\49611940363b3ade59162fb625e0d7cd_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:236
    • C:\Windows\SysWOW64\OYAIJG\IPG.exe
      "C:\Windows\system32\OYAIJG\IPG.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\OYAIJG\IPG.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\OYAIJG\AKV.exe
    Filesize

    490KB

    MD5

    7c945f8ff017b9c3e00fb23e47c05b88

    SHA1

    c5808f4a6494f5f619584ce1eea3bd63fab41675

    SHA256

    0beb5579a7321017b3efe319e40af7ad940c4d64916295929fe0e88bdd35e848

    SHA512

    feb202e2c63be69ad77160716bcf4f83bd90571349c6115955fb2ea584d8913dd153ca782974e3b50c9a8cd58df01ade6c88339f0c43c2af5778fc3457132246

    Download Submit

  • C:\Windows\SysWOW64\OYAIJG\IPG.002
    Filesize

    42KB

    MD5

    ecb9e8c27d6cc6ffd1e857767b9c6f24

    SHA1

    10a9a5054e6f1c8d1bda456b9ecb5bf359faf010

    SHA256

    5d948e3a55e9b1de0e9f8f89d0dd3a769bbd8d178f3297cc02864f5688dbcb29

    SHA512

    259ae145a962426b9b60d585d939caf86043b9031480b472ab8ee91eada3d1d7d6fc502718fbbc07ac9600368e81f87e68fd10d5fa039a85a1d4a8ddfde1968e

    Download Submit

  • C:\Windows\SysWOW64\OYAIJG\IPG.004
    Filesize

    800B

    MD5

    3749238257a2a3fab2bd8a144acd9de9

    SHA1

    184ce77a4b35486d99cb819efd647f6cd1735197

    SHA256

    2d1daa653b187f9898616eedd722c23607c3521ce0a1e08cef86425e4662fc90

    SHA512

    f77f947d2c50d72984547d6810b841af9a28e927353887537f4ed2f88b5db31d9a15bc757a2e87531b3890fde932d960ce009876b36ef7c28c5a7388fe595915

    Download Submit

  • \Windows\SysWOW64\OYAIJG\IPG.001
    Filesize

    60KB

    MD5

    256d32d205671ac8ed51e56c5c5d2d56

    SHA1

    c0e98db79b026a2ba7c4838bf11d6e8775a10262

    SHA256

    064d8c21bd0cf41315cef61af65be92327275633fbdf37771c3d996202909a9a

    SHA512

    197a6c0d27550d4756c124b41310ae39e546449da3254c15d0070bfeec4600d12f4e653f12e4a554c69eeab615f3e159960805c029f9b4abb197b64af78c5581

    Download Submit

  • \Windows\SysWOW64\OYAIJG\IPG.exe
    Filesize

    1.3MB

    MD5

    6c94881041df04b34498298262be0095

    SHA1

    a55cf3e5b3d04cbc3fff689219bb4176db698afa

    SHA256

    b8e1a7f773703fd5b7e7658bc3f54fd50e4ea6502f9ed3b996c3ef9c977b3d9f

    SHA512

    dba2ad2dcb51d7dc9e01e668e91132fbb22c6c1423c3dc96c081a1bcc2614987e4091d99c9035abf4c1c2b485c36095a06cfaea67431e1d18a83c186bcea4fbf

    Download Submit

  • memory/2396-15-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2396-17-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.