Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    24/10/2024, 04:09

General

  • Target

    7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe

  • Size

    572KB

  • MD5

    7243d2dd2c6160ce5ce29cfd5161b826

  • SHA1

    5d7701e0b1e3aef3ba950bc31585df418373ff64

  • SHA256

    9ed1bd70a534d7389b8a03d94eb0c23da123e367629509dc97a40f3b63ca2a2b

  • SHA512

    92adceb9141b717e43ed8ae2fddf7b1a3e7dba2ae13cf9bcec027885197c1f40ba0026faa52741bc9572a3a8b3ea83bce1766bbdaef17871de4954bca56ebb59

  • SSDEEP

    6144:9ov67XgTTSjN81oqYcTq4A28FPzCsVyUhn8aZyMy1NT1lD1Hr0vuJ:yvTW8ppq4AZCsVphnzUM41LEuJ

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\SysWOW64\28463\JLUW.exe
      "C:\Windows\system32\28463\JLUW.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2680
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FortyMistakesMenMakeDuringSex.pdf"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FortyMistakesMenMakeDuringSex.pdf

    Filesize

    20KB

    MD5

    1bb4c745f5918abcc66d3302cdeb025f

    SHA1

    55b25bca8054c01ab5768af5f61d70a0669c5e94

    SHA256

    4c7bf01a3a1599875961eb513f644efc3b9adf379fb8965c7fbad9fb15978c97

    SHA512

    7baed4b35c504e0dab794659e42f12e1c7022c7db86c08a7336d8cebb9a3667f5a7fb6557144760f6806a0783abc395f11cad88d33b408ee16af23f554594afd

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    72fdf205f5afcfebe231cb3f6d78dca4

    SHA1

    11fc565b413c23efd14efc4046c5787269a855de

    SHA256

    7c0e1b9f3b50b28122c625e35520371b3ec30240ccf3d2e1ed3fa59a903cfd20

    SHA512

    891fe3f01054daf08483e46f74baab0e1fddaf5815fdb3478a44afb3be5f3edb923aa7a277133a67233dce30e8c435fe7b44734b19673674db274cc03ff42015

  • C:\Windows\SysWOW64\28463\JLUW.001

    Filesize

    454B

    MD5

    6bc1557a87952b4b59f6323a75700d3c

    SHA1

    3f0f6cce5e604d785344c978d9cb8088e45d54e9

    SHA256

    7b159c4485e83f94a0433dd141fcfac7f8eb7879c00da83089f37d63b499aa18

    SHA512

    ece0d7a4abafc8316e9de19070f76222803eede7f1c1e49a36be766ee61ade6b9ee60c99755a15f80ecee7d9913af64c428bba2816b94ee5f969f3482da0552f

  • C:\Windows\SysWOW64\28463\JLUW.006

    Filesize

    8KB

    MD5

    86d96c93965255cef35ca42413188b75

    SHA1

    9d77f203267febe047d049584e5c79f1c1801b2d

    SHA256

    b796bd1f5cdb1d1db91c3aca1ac700c015775b9caf2725fbf4b6089a096f21c5

    SHA512

    2db81080a16494ec549f4f39ee382580ba12cd5cbfe31632c8459ba94d767ce1ad3e9c0e6643f80530ae5e316fc42dca05708eeade7ce3c0341d669325cdb095

  • C:\Windows\SysWOW64\28463\JLUW.007

    Filesize

    5KB

    MD5

    b73942c11844487ca7fc3e78062c8abb

    SHA1

    28f4c4159528ccbe9d83b5cd5e157861d11ff04c

    SHA256

    4ba88f8964ee02a395d88974fd43b05610cf520b4ab40f36b3f98715ce1e0984

    SHA512

    d4c782f5abd91b3396b243345f968eb5a705a7aefeedf92e62047309f7ccf223c0825623c184de66e3667c22eb371f0329be97ea70f6d72b54f98b22042e1f9c

  • \Users\Admin\AppData\Local\Temp\@6EAB.tmp

    Filesize

    4KB

    MD5

    9dc64557fcebd521ca4b267da15c2914

    SHA1

    c2247f9e0f0c8d11c7b9ab93f43ed53943d0bdd2

    SHA256

    a49cb9cbab2a60418b2079d4110123682fc980bb6b46ac5ada144797b5fa2cf4

    SHA512

    00241a139ca307c5eb4d89fa8b6296833961091286282c3482746e4a3589ef61e6d007edb6aa6fa1ef812d57bf63a8e495e0db712e17decc77bbae2490cdbe01

  • \Windows\SysWOW64\28463\JLUW.exe

    Filesize

    472KB

    MD5

    324154483b20e6f67a3c1486e3fc7c6a

    SHA1

    d6630eb1d8555b48413434b4a5d54c8de819cbf8

    SHA256

    ded1c934280294375d7b926773511e4d5e6c8dbb22b0dd25a80a6b0b3af065d3

    SHA512

    36349f7c53b9989eac63e8c91b7fb009a5a0dce934242ae5956a5e3d3764949a87296adeba81f3da96b5e035f3755b4dd75de2ffa211b7db296313c52f6d478b

  • memory/2680-23-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

  • memory/2680-47-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB