Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JaffaCakes...b1.exe

windows7-x64

10

JaffaCakes...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/01/2025, 22:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_68b82480f42d95aff0d4e83dc2413ab1.exe

  • Size

    2.0MB

  • MD5

    68b82480f42d95aff0d4e83dc2413ab1

  • SHA1

    6f06f5f94b25cf7a17f7009ffa2a9f51c6b7d5ee

  • SHA256

    4c0f4cde7981ab905300efcd647adffcc46d682468cae06fcf46b7a791d6b3d6

  • SHA512

    2598d8bf2518167b875782f4da949a58d2a52f4575c3b2c43844c9594babd068063c2b2ff1f6ab479750c2f970481b1dbd73b0549a46085af52f5c924f5c1a1d

  • SSDEEP

    49152:rUC7YTgYsd3g7lWZ9Q1MWHt5YxmAFuWKJz+jaX:r33rmlrE2b

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68b82480f42d95aff0d4e83dc2413ab1.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68b82480f42d95aff0d4e83dc2413ab1.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\ProgramData\KJOSFC\LGY.exe
      "C:\ProgramData\KJOSFC\LGY.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\PROGRA~3\KJOSFC\LGY.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\KJOSFC\LGY.00
    Filesize

    2KB

    MD5

    9f60b617a2a459b8e8145a21ebdcf08a

    SHA1

    71452e002b9605029dce25605867f14b71c0015e

    SHA256

    2df4e15612f2986ea1f511abd468d6e4d906bd8f369a7779d2506009d52d8841

    SHA512

    3e8c63675f80f83885159b1218ee2ba4cacc293fa474a3b68283c5ce3691b5b77a27992009b99b644686b3a4daa8bb8679a7c58075e53a550a08936472650969

    Download Submit

  • C:\ProgramData\KJOSFC\LGY.01
    Filesize

    80KB

    MD5

    c5b79d794cfea3adfd1307e882668885

    SHA1

    b86e92f61616251ed70b0319225ec9b1d29050c4

    SHA256

    514c161c625713fb800e7920f7efc4d55a1167a16885fa3aa3ae2e4ae25a20c6

    SHA512

    ed12e55c1e26cd44e5273e00c739df9ffc5f378f048809796e2e4a3fd144dd033e4f5ab4317b5066db582dddf5da9d27d036749a738fcc5cf4873535055427a6

    Download Submit

  • C:\ProgramData\KJOSFC\LGY.02
    Filesize

    56KB

    MD5

    85942669a5484566b5e8a54873fc2138

    SHA1

    96f180b4d8b1dc922984329fd99ee03dc3c14d86

    SHA256

    e4aa7ad0fccf26671d74e0cba04c135be2ac5a470b7e4d1d5aa62980f19f49ac

    SHA512

    3b9de5be16ad6ecafcc3d07c432a06b68bd0bd9e3926ad496d7589fe2e415daf812bf378d8d5187beb7417ea8e6d41b4c75964d8d5a55ee19fee48d1d4db10cc

    Download Submit

  • \ProgramData\KJOSFC\LGY.exe
    Filesize

    2.3MB

    MD5

    29ca8cd6b4da6f0c729cf0a0edb52c9f

    SHA1

    0a509edd7a68eee2f32fbf62708731edf4c6d551

    SHA256

    fa7d72437dbf948ae462b7126747f52144c6613d889a930b180362b009470393

    SHA512

    521aad2ef65a52b002bd4a855a6c696e070549b0f450775b99647f7f681b669080e5e321bfde530bc7ca6a0f95452b6585fa0ba5161bf9a0b07a40336660a582

    Download Submit

  • memory/2884-15-0x0000000000400000-0x0000000000684000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2884-14-0x0000000000402000-0x0000000000403000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2884-18-0x00000000003D0000-0x00000000003E9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2884-19-0x0000000000400000-0x0000000000684000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2884-21-0x0000000000400000-0x0000000000684000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3024-12-0x0000000000D00000-0x0000000000F03000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3024-0-0x0000000000D01000-0x0000000000D02000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-2-0x0000000000D00000-0x0000000000F03000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3024-1-0x0000000000D00000-0x0000000000F03000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.