Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/12/2024, 17:29
Static task
static1
Behavioral task
behavioral1
Sample
dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
dabc537658c490f3bec6af67daec0092
-
SHA1
a08e90f3157980d8a2f2daeb8cf9a88904835c8a
-
SHA256
ab8f334d3e7167d5e2eab34072db4ffc93ea56bc536ce31ed0a9a9484ff41622
-
SHA512
a3b815d0c500d56e4ba759794d1967f3d44153ef5e7925c506ae8d2f013be8eee08ccb26884cd0dd1fd28964ed1774ab33970fbe1f5dd5fcaeab86deacdd864d
-
SSDEEP
24576:HbPTzpzDfr4exd/N3nXqH3tne0sMTfys7d+6jf4p71wJ44ZJl4MPWzovDnnzS:H7Ttzn42d/N3X/037M6cl24aJlHOW
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023c68-7.dat family_ardamax -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RRB.exe -
Executes dropped EXE 1 IoCs
pid Process 2736 RRB.exe -
Loads dropped DLL 1 IoCs
pid Process 2736 RRB.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RRB Start = "C:\\Windows\\SysWOW64\\AHLCIX\\RRB.exe" RRB.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\AHLCIX\RRB.exe dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\AHLCIX\ RRB.exe File created C:\Windows\SysWOW64\AHLCIX\RRB.004 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe File created C:\Windows\SysWOW64\AHLCIX\RRB.001 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe File created C:\Windows\SysWOW64\AHLCIX\RRB.002 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RRB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 2736 RRB.exe Token: SeIncBasePriorityPrivilege 2736 RRB.exe Token: SeIncBasePriorityPrivilege 2736 RRB.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2736 RRB.exe 2736 RRB.exe 2736 RRB.exe 2736 RRB.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1144 wrote to memory of 2736 1144 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe 83 PID 1144 wrote to memory of 2736 1144 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe 83 PID 1144 wrote to memory of 2736 1144 dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe 83 PID 2736 wrote to memory of 1748 2736 RRB.exe 100 PID 2736 wrote to memory of 1748 2736 RRB.exe 100 PID 2736 wrote to memory of 1748 2736 RRB.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\AHLCIX\RRB.exe"C:\Windows\system32\AHLCIX\RRB.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AHLCIX\RRB.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:1748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD58d8041fe45149cc7383c52f719c4d1d6
SHA1ae81719657952ad493161bcf0788fb45357dc03e
SHA256cd6a210bcc19fc0f301fe3fb0cc58318d275df9666057877f7dc56ff0c134531
SHA5120eb1168a4596b4ca5fbe864e16e5ec3cb8fc7cd6a6407ee095a34d7d5dcaa4ca270022b00f1ece2ee9048b6fd29cfdad9a0900dbf5a75d7a69d09bfa73c23983
-
Filesize
43KB
MD5d977f26d7f7ffcb0f002813b55ff032d
SHA17e17b642dc1286908c18caba6fedb890de8fcc86
SHA2562ce6c66843f0d0f156ae523f25d2cf4c9886fcae7b4f69deefbde4bc5328bf29
SHA512e291f6acf5df88c52eb9232d55eb43fc08cbd423b7ae46148f710de909db49c04fc1d64e05b8e307ddd880134c525188109b94182ca99ea5934b66b9316e9e25
-
Filesize
636B
MD59b69baa37c6655a8317033092b598800
SHA15974b98d630891344ca0844fe09f832d80fd8bfc
SHA2568012a81c1316282e07e226bf1d2ea49d878ae2cfc75b85f30150c8cd3b6c14fc
SHA512c88661dd19869a77eb46b9e60f896a7a9f7280148b8d1c0e96f9448352884e7fab8231f6eb8259f6f3e6309bc153d578697990f7f1e288e3726c7e007a5e5b08
-
Filesize
1.4MB
MD527a49221ba75a90934342bbe70f6c954
SHA1751e322d6f7e46c132f0f97c56d60344248f1959
SHA256946611f5091452aa46310d3ba8a885e808617b8ae9c57a468f7fe3abda4b052d
SHA5129476f49d2e3c10f3e5cd91313e03405f944bc9887fd65e6c2236caab3a42e2c9a5392d7c34f6c5787a7dc8c3cfd43a3a90a6e052176aa60a43da0327d7ff78d6