Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24/10/2024, 04:09
Static task
static1
Behavioral task
behavioral1
Sample
7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe
-
Size
572KB
-
MD5
7243d2dd2c6160ce5ce29cfd5161b826
-
SHA1
5d7701e0b1e3aef3ba950bc31585df418373ff64
-
SHA256
9ed1bd70a534d7389b8a03d94eb0c23da123e367629509dc97a40f3b63ca2a2b
-
SHA512
92adceb9141b717e43ed8ae2fddf7b1a3e7dba2ae13cf9bcec027885197c1f40ba0026faa52741bc9572a3a8b3ea83bce1766bbdaef17871de4954bca56ebb59
-
SSDEEP
6144:9ov67XgTTSjN81oqYcTq4A28FPzCsVyUhn8aZyMy1NT1lD1Hr0vuJ:yvTW8ppq4AZCsVphnzUM41LEuJ
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016dc8-9.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 2680 JLUW.exe -
Loads dropped DLL 7 IoCs
pid Process 2296 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe 2296 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe 2296 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe 2680 JLUW.exe 2680 JLUW.exe 2896 AcroRd32.exe 2896 AcroRd32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JLUW Agent = "C:\\Windows\\SysWOW64\\28463\\JLUW.exe" JLUW.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\28463\JLUW.006 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe File created C:\Windows\SysWOW64\28463\JLUW.007 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe File created C:\Windows\SysWOW64\28463\JLUW.exe 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\28463 JLUW.exe File created C:\Windows\SysWOW64\28463\JLUW.001 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JLUW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2896 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2680 JLUW.exe Token: SeIncBasePriorityPrivilege 2680 JLUW.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2680 JLUW.exe 2680 JLUW.exe 2680 JLUW.exe 2680 JLUW.exe 2680 JLUW.exe 2896 AcroRd32.exe 2896 AcroRd32.exe 2896 AcroRd32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2680 2296 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe 28 PID 2296 wrote to memory of 2680 2296 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe 28 PID 2296 wrote to memory of 2680 2296 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe 28 PID 2296 wrote to memory of 2680 2296 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe 28 PID 2296 wrote to memory of 2896 2296 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe 29 PID 2296 wrote to memory of 2896 2296 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe 29 PID 2296 wrote to memory of 2896 2296 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe 29 PID 2296 wrote to memory of 2896 2296 7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7243d2dd2c6160ce5ce29cfd5161b826_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\28463\JLUW.exe"C:\Windows\system32\28463\JLUW.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FortyMistakesMenMakeDuringSex.pdf"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD51bb4c745f5918abcc66d3302cdeb025f
SHA155b25bca8054c01ab5768af5f61d70a0669c5e94
SHA2564c7bf01a3a1599875961eb513f644efc3b9adf379fb8965c7fbad9fb15978c97
SHA5127baed4b35c504e0dab794659e42f12e1c7022c7db86c08a7336d8cebb9a3667f5a7fb6557144760f6806a0783abc395f11cad88d33b408ee16af23f554594afd
-
Filesize
3KB
MD572fdf205f5afcfebe231cb3f6d78dca4
SHA111fc565b413c23efd14efc4046c5787269a855de
SHA2567c0e1b9f3b50b28122c625e35520371b3ec30240ccf3d2e1ed3fa59a903cfd20
SHA512891fe3f01054daf08483e46f74baab0e1fddaf5815fdb3478a44afb3be5f3edb923aa7a277133a67233dce30e8c435fe7b44734b19673674db274cc03ff42015
-
Filesize
454B
MD56bc1557a87952b4b59f6323a75700d3c
SHA13f0f6cce5e604d785344c978d9cb8088e45d54e9
SHA2567b159c4485e83f94a0433dd141fcfac7f8eb7879c00da83089f37d63b499aa18
SHA512ece0d7a4abafc8316e9de19070f76222803eede7f1c1e49a36be766ee61ade6b9ee60c99755a15f80ecee7d9913af64c428bba2816b94ee5f969f3482da0552f
-
Filesize
8KB
MD586d96c93965255cef35ca42413188b75
SHA19d77f203267febe047d049584e5c79f1c1801b2d
SHA256b796bd1f5cdb1d1db91c3aca1ac700c015775b9caf2725fbf4b6089a096f21c5
SHA5122db81080a16494ec549f4f39ee382580ba12cd5cbfe31632c8459ba94d767ce1ad3e9c0e6643f80530ae5e316fc42dca05708eeade7ce3c0341d669325cdb095
-
Filesize
5KB
MD5b73942c11844487ca7fc3e78062c8abb
SHA128f4c4159528ccbe9d83b5cd5e157861d11ff04c
SHA2564ba88f8964ee02a395d88974fd43b05610cf520b4ab40f36b3f98715ce1e0984
SHA512d4c782f5abd91b3396b243345f968eb5a705a7aefeedf92e62047309f7ccf223c0825623c184de66e3667c22eb371f0329be97ea70f6d72b54f98b22042e1f9c
-
Filesize
4KB
MD59dc64557fcebd521ca4b267da15c2914
SHA1c2247f9e0f0c8d11c7b9ab93f43ed53943d0bdd2
SHA256a49cb9cbab2a60418b2079d4110123682fc980bb6b46ac5ada144797b5fa2cf4
SHA51200241a139ca307c5eb4d89fa8b6296833961091286282c3482746e4a3589ef61e6d007edb6aa6fa1ef812d57bf63a8e495e0db712e17decc77bbae2490cdbe01
-
Filesize
472KB
MD5324154483b20e6f67a3c1486e3fc7c6a
SHA1d6630eb1d8555b48413434b4a5d54c8de819cbf8
SHA256ded1c934280294375d7b926773511e4d5e6c8dbb22b0dd25a80a6b0b3af065d3
SHA51236349f7c53b9989eac63e8c91b7fb009a5a0dce934242ae5956a5e3d3764949a87296adeba81f3da96b5e035f3755b4dd75de2ffa211b7db296313c52f6d478b