Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/12/2024, 17:29

General

  • Target

    dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    dabc537658c490f3bec6af67daec0092

  • SHA1

    a08e90f3157980d8a2f2daeb8cf9a88904835c8a

  • SHA256

    ab8f334d3e7167d5e2eab34072db4ffc93ea56bc536ce31ed0a9a9484ff41622

  • SHA512

    a3b815d0c500d56e4ba759794d1967f3d44153ef5e7925c506ae8d2f013be8eee08ccb26884cd0dd1fd28964ed1774ab33970fbe1f5dd5fcaeab86deacdd864d

  • SSDEEP

    24576:HbPTzpzDfr4exd/N3nXqH3tne0sMTfys7d+6jf4p71wJ44ZJl4MPWzovDnnzS:H7Ttzn42d/N3X/037M6cl24aJlHOW

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dabc537658c490f3bec6af67daec0092_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\SysWOW64\AHLCIX\RRB.exe
      "C:\Windows\system32\AHLCIX\RRB.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AHLCIX\RRB.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\AHLCIX\RRB.001

    Filesize

    61KB

    MD5

    8d8041fe45149cc7383c52f719c4d1d6

    SHA1

    ae81719657952ad493161bcf0788fb45357dc03e

    SHA256

    cd6a210bcc19fc0f301fe3fb0cc58318d275df9666057877f7dc56ff0c134531

    SHA512

    0eb1168a4596b4ca5fbe864e16e5ec3cb8fc7cd6a6407ee095a34d7d5dcaa4ca270022b00f1ece2ee9048b6fd29cfdad9a0900dbf5a75d7a69d09bfa73c23983

  • C:\Windows\SysWOW64\AHLCIX\RRB.002

    Filesize

    43KB

    MD5

    d977f26d7f7ffcb0f002813b55ff032d

    SHA1

    7e17b642dc1286908c18caba6fedb890de8fcc86

    SHA256

    2ce6c66843f0d0f156ae523f25d2cf4c9886fcae7b4f69deefbde4bc5328bf29

    SHA512

    e291f6acf5df88c52eb9232d55eb43fc08cbd423b7ae46148f710de909db49c04fc1d64e05b8e307ddd880134c525188109b94182ca99ea5934b66b9316e9e25

  • C:\Windows\SysWOW64\AHLCIX\RRB.004

    Filesize

    636B

    MD5

    9b69baa37c6655a8317033092b598800

    SHA1

    5974b98d630891344ca0844fe09f832d80fd8bfc

    SHA256

    8012a81c1316282e07e226bf1d2ea49d878ae2cfc75b85f30150c8cd3b6c14fc

    SHA512

    c88661dd19869a77eb46b9e60f896a7a9f7280148b8d1c0e96f9448352884e7fab8231f6eb8259f6f3e6309bc153d578697990f7f1e288e3726c7e007a5e5b08

  • C:\Windows\SysWOW64\AHLCIX\RRB.exe

    Filesize

    1.4MB

    MD5

    27a49221ba75a90934342bbe70f6c954

    SHA1

    751e322d6f7e46c132f0f97c56d60344248f1959

    SHA256

    946611f5091452aa46310d3ba8a885e808617b8ae9c57a468f7fe3abda4b052d

    SHA512

    9476f49d2e3c10f3e5cd91313e03405f944bc9887fd65e6c2236caab3a42e2c9a5392d7c34f6c5787a7dc8c3cfd43a3a90a6e052176aa60a43da0327d7ff78d6

  • memory/2736-15-0x0000000000600000-0x0000000000601000-memory.dmp

    Filesize

    4KB

  • memory/2736-17-0x0000000000600000-0x0000000000601000-memory.dmp

    Filesize

    4KB