Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

6fd623b53a...18.exe

windows7-x64

10

6fd623b53a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/10/2024, 16:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe

  • Size

    882KB

  • MD5

    6fd623b53ad08afc12e78d86a5d2ef43

  • SHA1

    b42c45fea5ffd0ce3024e844611423f493f88180

  • SHA256

    09abaf754ff9d3739ce8e871d7009df0065468c537da9b5ed88371c216f06e83

  • SHA512

    d78ad22c369e2eb37f47abce88eafd5009f1de5592977211d22f45f9eeb6a8b00d985f675971d12193b01f240cb978725123a5aac35f0a8082f951f2ccbf6caf

  • SSDEEP

    24576:DYMN9LB6VmQDWzzTWCqK2di16PniFYTBaL+POlc8:DHhB6VZCqpd0AiF4BI+PCN

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 1 IoCs
    installer
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Windows\SysWOW64\28463\WGCD.exe
      "C:\Windows\system32\28463\WGCD.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3772
    • C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@D978.tmp
    Filesize

    4KB

    MD5

    91374d9ab21e5ebc2cc82c2b5d46d116

    SHA1

    2107cdb63bd762a1d12c5b7475f73fc433fd05b6

    SHA256

    2aaf236aefea2d3500d57b78cc683a50843e73b8270279686a1eb78e37937d23

    SHA512

    465061b230203c464cbfea3447249d7b603773b60c3c882a254b19699dd825ddc01bba2c475dd2fc1081927b97de0d395b99d6afe365faf8b0c9db24c0d4323b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
    Filesize

    417KB

    MD5

    0e1de64ff61e6514142b68fd71cd0273

    SHA1

    05d2bb3d08d39014cd72f6f9d877729116e83dfc

    SHA256

    66683e591b6520d8f215b16ef985f106b5642fe00b7a2d3618f4e84c44fafa53

    SHA512

    4b46ccd9cb938b3f7b69ec087803f614efb9e54bbbf9c851e18f9349956d5ba20872d700859ae4ac368b63e19838236c8149022b17de27cf67c1a60636a46195

    Download Submit

  • C:\Windows\SysWOW64\28463\AKV.exe
    Filesize

    393KB

    MD5

    a655980f1ccb7e183aef71419e01051f

    SHA1

    26bf8f2a1c096fcf014f4d38a7262d4c8a5eae5e

    SHA256

    d2af94a00c4de38dbc481c50e439768a9aa0ee2cca057efb759a10068c66e57b

    SHA512

    66fed05ff2a9dd9ea9565274cd32dec3ad42a0ff41ab468f1d751697fbf246a5ed1112ce8f556ffcec607eefce1cdfd5a3d9954a99b1b58e342a9239592c97ad

    Download Submit

  • C:\Windows\SysWOW64\28463\WGCD.001
    Filesize

    422B

    MD5

    f9dc00b4b763eedcdb780ee6ecb55768

    SHA1

    ec156bcf9f9d1be96752838ff4646827a819ea1e

    SHA256

    cc507ef9c445b4c23100a9a888575970e9c3343b109b9f2a8b79699340f5072c

    SHA512

    1df042ed2a0540fe0e4fca520d495d9da833d36b3526e28faa4b9673c1af314673ba2b12a6fb8e9927f79966bf6a1747146a4c288899239f4a617688f994b217

    Download Submit

  • C:\Windows\SysWOW64\28463\WGCD.006
    Filesize

    7KB

    MD5

    c8cea38934bbb1d53dabd5680d12612e

    SHA1

    438b909d2a80b2995e2eb5e4fc12d21185bd7f9e

    SHA256

    77d3390580bc51da413b5a4fdce4f70c23dba979904f0f64f5aa8091e300c8ad

    SHA512

    4fd62a8b1260e6ead4c1ea178e35255ed8a1f31819080ef358f8b6f1975f705f9df0b901c870be58b10aa7b34263bd670afaeee315247fb5eb262caf70fc10a8

    Download Submit

  • C:\Windows\SysWOW64\28463\WGCD.007
    Filesize

    5KB

    MD5

    00ff3cd6c61e7d48ee1ae5f6b6b3876b

    SHA1

    efe6bcdb012525d11d2f2f10a3c362c06fe48a22

    SHA256

    043b156e49a23c85ea6524729ca89c0932a7ffa5d39328182be212c7f403719e

    SHA512

    52aa11472123dc19a2bea54fbf18b3cb5803ce47f831427d0316421653826a945a8cb914e592b4e9311ff97884f998021d8dbc0c94e2c69e04c99103e55986a4

    Download Submit

  • C:\Windows\SysWOW64\28463\WGCD.exe
    Filesize

    471KB

    MD5

    b19358a11fc5bf245df5816361d4d24c

    SHA1

    22c92178047080c254aa2ed601f027a52f22c44b

    SHA256

    fb6bd2ac12914944697900aeaaf5606c475e8d3c5a5c9bdc345ce037a2218a74

    SHA512

    e92f9d73b25c1d922dd742ca63a0af7152eb6e748d2b06e84993273636a31fdf09071414c3576f4734da70f0f15835caaaa812da1a928abff1d67879ed6a2d45

    Download Submit

  • memory/3772-22-0x0000000000C00000-0x0000000000C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3772-38-0x0000000000C00000-0x0000000000C01000-memory.dmp

    Filesize

    4KB

    Download