Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/01/2025, 13:02 UTC

General

  • Target

    JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe

  • Size

    2.3MB

  • MD5

    35b9ec998fd52b4ffeacdc71d1bb134d

  • SHA1

    38cd8c287085af6512e0c20ca8088e8d129d01c4

  • SHA256

    d63f81c698728558b74e71149a866d253b9ef8aa65b8dae39db2accadb8654f5

  • SHA512

    62948b5abe013f95e75235d3e3a7e3be18643ae1cca0a1aa65bf113d936fde3c1b19303989e865595741ef795569ad33072235801c3424c0f099cfdb197a9eb5

  • SSDEEP

    49152:NZNfQzcYsgSMBVjILrhnNOagwyegGonPh7CXSHB:NZN44YBVjIfhnQagwyegGc7CCHB

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 23 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 7 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 37 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2052
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2208
    • C:\Users\Admin\AppData\Roaming\P®OßOT™.EXE
      "C:\Users\Admin\AppData\Roaming\P®OßOT™.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\system\P®oßot™.exe
        C:\Windows\system\P®oßot™.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:776
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s TABCTL32.OCX
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1792
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s MSINET.OCX
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1028
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe /s MSWINSCK.OCX
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1592
      • C:\Windows\system\Install.exe
        C:\Windows\system\Install.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:1012
        • C:\Windows\SysWOW64\28463\EGBE.exe
          "C:\Windows\system32\28463\EGBE.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2348
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2084
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2204
    • C:\Users\Admin\AppData\Roaming\RUNDLL.EXE
      "C:\Users\Admin\AppData\Roaming\RUNDLL.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\syscheck.bat

    Filesize

    150B

    MD5

    1265b09eaea9e3c69fe1f6a4e8b00e6e

    SHA1

    44face1bde83d56e9d8906c6661a7fae05e330c6

    SHA256

    9f67284e85933ba4412c4ab49c0638af67b6ee4db37f7c8d91bff97823dc6068

    SHA512

    30574540682fb600fba844cf1e9b11205c3ac2eb64cfc661a07b8782938715ca4ccdd3ec5fcd2c0f18e34f2678c374adeca6f180ba792ce36826940b7188a57a

  • C:\Users\Admin\AppData\Roaming\P®OßOT™.exe

    Filesize

    895KB

    MD5

    37f0d5b41679b7cf9d488f857c5d2895

    SHA1

    8a2e857bc69977321375b4992937865a226b6858

    SHA256

    db8e5c5ece4dff522a1c89e669ebac40686856f2429745ab1c0bad8493325599

    SHA512

    5c33e600435c138af0169e123b646004c5efd93229dde9c5abcbe2409e23b4c46465d7a0d4f282caccd0cc88942b9f7c62578d69054da7a72791181b5e2660eb

  • C:\Users\Admin\AppData\Roaming\rundll.exe

    Filesize

    596KB

    MD5

    9df6bb3812221a1537b779eaf8378c0b

    SHA1

    a4548e13d0874fc7b408f28b2138979e8123f8dc

    SHA256

    bb1da669d97dfbc4dfdada3f8e79643f68ecf5317fe7006b9d739691bf411166

    SHA512

    baf64ce867039ccf7e3a6e21559daf5153671ba81059ccff3b909610a285d73e6ea9320c688cddc84314142e5e2875d069f4c0cb0f6cd42436f7fba2b30a8cf2

  • C:\Windows\SysWOW64\28463\AKV.exe

    Filesize

    457KB

    MD5

    bf3f029b48698972471caaa7e9cea759

    SHA1

    304ef8b5c72bf95e5d3efa18e5587c6d9cacfd15

    SHA256

    2f55fb7d6318f940c208276c25d63d7a7a8406da1c82f51305f1ce6381ac1aa5

    SHA512

    0fcc2c42ba1cf816152f1e116789c615956024b58a06a985c79ac9b71fa10dc232a5c4210f18f4d3a70730454cbdc2b3da56d24e4da207d58ce2446424b68d00

  • C:\Windows\SysWOW64\28463\EGBE.001

    Filesize

    444B

    MD5

    ec90328732d806928db4a781505b1772

    SHA1

    0e3f49648654990e0d358431b31cb291da970398

    SHA256

    1915e182924731fc8a2f337e1bd3857e1d765b6f2c9bb829f8b6fe934d51d6d9

    SHA512

    789731e6225f0484739328524c6fcf1015e289f09a141952b1a4792e95fa60aab9e09acafc4ffc34b3298b5c744fb5363aa1c7da96a30d43fb9d71319b10e1b6

  • C:\Windows\SysWOW64\28463\EGBE.006

    Filesize

    8KB

    MD5

    5153b016d36928c296131c5c8e669446

    SHA1

    c444f61a2dc49ede6a2325f26d76af66de5989d2

    SHA256

    4c52ec0d5d4cad21ed134af76f64c3cb44b826594641f44487e4625f5bc96f59

    SHA512

    c9084ff30f1f023b1f9cd00dc66cdbf846e95993093163c3e71a13535ccfc79d59be5b28a78ccfa6b0a82389b08b157676d71a9ccca2c170369080feac386f09

  • C:\Windows\SysWOW64\28463\EGBE.007

    Filesize

    5KB

    MD5

    80bbc7ace13d97396bd7b1abbaf4008b

    SHA1

    d013c0def603915675b1e0ce5877d413cdaf6523

    SHA256

    18dbfb27d4b10501e8426db1a78df8247f6570656d183f78b061d7db4c7865ae

    SHA512

    bc7afd0e730f432852d374812827077574181928aa97c25d8170ce1b766677383360bf2bb21afc51e8168eb3f6539ce8499c4002d86190f27d4836da3f907919

  • C:\Windows\SysWOW64\28463\key.bin

    Filesize

    105B

    MD5

    27c90d4d9b049f4cd00f32ed1d2e5baf

    SHA1

    338a3ea8f1e929d8916ece9b6e91e697eb562550

    SHA256

    172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

    SHA512

    d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

  • \Users\Admin\AppData\Local\Temp\@F872.tmp

    Filesize

    4KB

    MD5

    557e0039dc13a0453af7ca9373a0d301

    SHA1

    50efb19b1b1eddd10ddb4c2ff23d18cccba92dfe

    SHA256

    54850e4c8644c042b15dab73a15135105ff84a240d26d1476c8b80d176a341fc

    SHA512

    d96fdc89ddbcd8459966c9548d3243a0fa319f8be2f418b4e17f313fb3f86d32dd7f254a035641f35e35ed849832773c0d1fe34ff362761309c64e959c025a98

  • \Users\Admin\AppData\Roaming\ntldr.dll

    Filesize

    417KB

    MD5

    e2b7786a6f66cdff399e0ab0c7a2bb3c

    SHA1

    ebf01463a279bed4da2d77e37cef3b4f54a90318

    SHA256

    7c1b080ad1eea14bdf2a8324b85c86cc98d8371b86a0079b52e87294f75751bf

    SHA512

    e169a369af1df7e7e5083d37eb6e4f156d70aaca8f1946412c46f26d07126998c71c1e5d8250a0d591a5cf05dd881875fec2660f73bd1fe9ab34c7ab2846daf1

  • \Windows\SysWOW64\28463\EGBE.exe

    Filesize

    648KB

    MD5

    5530832fa82582288ce640f73a4915a0

    SHA1

    c40673ed59a61dd3b39f8ed6d0e1345838d98e44

    SHA256

    6f7daff3caf7f24a00e08e4ed414b4d23e13d2cac4657ad7a071d9cbeb42cb88

    SHA512

    ee2a2dc3c85a13b39f15a276f842afab8d341aacb457c1750b8bf0fa46b03a3bfabeff5be6439f3edf2c428d504ecabf07a399ebbdb09a75693309b55903775c

  • \Windows\system\Install.exe

    Filesize

    785KB

    MD5

    47a9a19c2b673867a3ad2518e09b9a12

    SHA1

    0f9c631eed1495fd510448381ff21c91505bac6f

    SHA256

    dddb5e3c08d8d1547dea9a9213d4ea7a05f4a6fa27119e681baac062563c8f93

    SHA512

    b87d7426ae12ededb615bb0654b59c37b2ae5df1bdf578cafdeccf6623ce62d0e9543f7dacc46c6c227dc6738a0df957d0f4004e4305f28ab8a09c1a697ec40c

  • \Windows\system\P®oßot™.exe

    Filesize

    78KB

    MD5

    13ef400e4c4c93cca3e7f03ce713a2ba

    SHA1

    bb773488ce128bc95607df5f6521c68908a38e43

    SHA256

    1bbf69b51ae2dce863dccfe00a283b74c10d3d5e62416a1cd621dd66f9868288

    SHA512

    13d4067adfc9c43df8dd60b82b4ef15fd27eb030c1d4d53fe53aa3b74a8e3a73a21cc79956d50ef7e7cdf6424cb18bb196caaeb166373bc266662a776baf5ea0

  • memory/776-115-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/776-69-0x0000000002730000-0x000000000279E000-memory.dmp

    Filesize

    440KB

  • memory/776-63-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/776-114-0x0000000002730000-0x000000000279E000-memory.dmp

    Filesize

    440KB

  • memory/1012-89-0x0000000002910000-0x00000000029EF000-memory.dmp

    Filesize

    892KB

  • memory/2348-108-0x0000000004D60000-0x0000000004DCE000-memory.dmp

    Filesize

    440KB

  • memory/2348-116-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/2348-98-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/2348-99-0x0000000000300000-0x00000000003DF000-memory.dmp

    Filesize

    892KB

  • memory/2348-97-0x0000000000300000-0x00000000003DF000-memory.dmp

    Filesize

    892KB

  • memory/2348-131-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/2348-120-0x0000000004D60000-0x0000000004DCE000-memory.dmp

    Filesize

    440KB

  • memory/2572-56-0x0000000002020000-0x0000000002094000-memory.dmp

    Filesize

    464KB

  • memory/2572-61-0x0000000002020000-0x0000000002094000-memory.dmp

    Filesize

    464KB

  • memory/2608-49-0x0000000000220000-0x000000000028E000-memory.dmp

    Filesize

    440KB

  • memory/2608-118-0x0000000000220000-0x000000000028E000-memory.dmp

    Filesize

    440KB

  • memory/2608-117-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

  • memory/2608-121-0x0000000000400000-0x000000000049B000-memory.dmp

    Filesize

    620KB

  • memory/2812-44-0x0000000000400000-0x0000000000654000-memory.dmp

    Filesize

    2.3MB

  • memory/2812-1-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.