Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/11/2024, 17:15 UTC

General

  • Target

    9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    9cd793b2589f1f961bd32df45e261b3b

  • SHA1

    1a3ed9b70f9a24a09d8b5a0d1bc5b360ae739fe4

  • SHA256

    ce1d50b440c3ecfe3be4c8482811d9d949b7f8b8cb71cab0ba11f3f9c0537895

  • SHA512

    2256934e8c6cea84e0d4d5578c5734ddb5979a0fe69d268620a4f5b8887bb754e597585990b06de381506f83b05420261a4fb62182fec3830e601418e74eb23b

  • SSDEEP

    24576:jGaUTAAvOEg2q4fP1aBF4EW4l3M236cTltOdvacxfOxqIMvAjWWGdkczBTJCimwm:jGrTAAv3g2q4Fs396cSdycxfzIMEWzz2

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9cd793b2589f1f961bd32df45e261b3b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Windows\SysWOW64\IISWME\DHD.exe
      "C:\Windows\system32\IISWME\DHD.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\IISWME\DHD.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:684

Network

  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    104.209.201.84.in-addr.arpa
    dns
    73 B
    133 B
    1
    1

    DNS Request

    104.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\IISWME\AKV.exe

    Filesize

    536KB

    MD5

    37b7ccd6152104d6da614c2ac21abf86

    SHA1

    c2a1cb4bc0475a0ee486dc9b3249a267b155e6bf

    SHA256

    e33cd5c9c1e4fb101ab8f95a068a2604641a455105cf3c5e1a45a813d0588c11

    SHA512

    479db2cf0da07fc8604fcff4c658dfe62cf8b45a3a3ee3deacbedc0f6c7fc7914cb2a4a674b68146bc90eccfb29af6e842ef1524790608073eb95936e2b80518

  • C:\Windows\SysWOW64\IISWME\DHD.001

    Filesize

    60KB

    MD5

    5b79ad0d1d30119158b5ab4147edbd96

    SHA1

    6f802d57d49d7063e40b7bebafa8fb1051e0a907

    SHA256

    4ccebd38ac000cbc33a6cfc2e87e900ef64ba4b978f3facfdb5870e217ac3ff7

    SHA512

    497e3eff3c7356cf12efd153b651d1a1ef2cb07302eb5b71dcff0d6732e5273bcff5f82897dff85cdaae0bc159fa9c4588e3bc90ab12521532675bf116757c6b

  • C:\Windows\SysWOW64\IISWME\DHD.002

    Filesize

    43KB

    MD5

    af3efaa90f29f6506693136ae1674fc7

    SHA1

    897aea8f6df7e29d43954512fc390b97c0eb4550

    SHA256

    4658d92f74df5ee142c08157985e25e41f74aaaa4256df9dfc9a011b7c3f0f44

    SHA512

    1a87ce2d0767204b1d636ce70c083c71f5cfa064680218906ff86c233968baca7ef605f2b1d9bfaf8326a8cbff7074ace766604b283c1a2b50d5788038dc9863

  • C:\Windows\SysWOW64\IISWME\DHD.004

    Filesize

    1KB

    MD5

    2d19f1ea4f74d8d7328409a958426d3c

    SHA1

    9c144e960917f303ea9962147d9e2249bd02d86d

    SHA256

    9c0e65e90261bc57f1b8a21d4ab354570f46353763a74869b98abec2d0b03d07

    SHA512

    b8c25c8b468ab32a660fe2f153811f7bd128b5b569413d935058ae6039c353f1bfd1a64acfb9e75f165dfc076923eaf37b60d8e7ce9d791a73b6439519a27424

  • C:\Windows\SysWOW64\IISWME\DHD.exe

    Filesize

    1.7MB

    MD5

    78dd492b06d03744d1954781d33775ca

    SHA1

    ef9462193e6ba7be64458ea1be6afcaeadc574b1

    SHA256

    c0664f94e9b2a7817f79b9457c31e524ef72ed7c073e79546d67e857b4637ede

    SHA512

    f88734970018f46b8c4ce350cccf577ac056957e933deb493becbc30b7165834ca68db423850220f8944b364dc97e1423247192faf4f3e4db85cf25c4576eef9

  • memory/2356-16-0x0000000000760000-0x0000000000761000-memory.dmp

    Filesize

    4KB

  • memory/2356-18-0x0000000000760000-0x0000000000761000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.