Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/01/2025, 15:05

General

  • Target

    JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe

  • Size

    222KB

  • MD5

    369f3b0d8a6237be175eae349bb4bb5e

  • SHA1

    b828824c1c111b22605aa0b6a7671d7dab2c032a

  • SHA256

    4fbc330b4a0a7b524d6e4fbe166b2e644a87cb0b228c07fd84d9d6f46e93be6b

  • SHA512

    293d8bb0113886defe407dda0a18ecd315eab54fb78188984550dd21076bb2683c719c90a93dc3f3755596dd05563a0f2f5163ed626cffadfe90aa91770e45ee

  • SSDEEP

    6144:kuylTvWzCVkCELU0LPRpL/yqmuYyOhcpqK:kuy9v4Yk5LU0d9yPuNr

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\CKM.exe
      "C:\Windows\system32\CKM.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2872
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\post-6708-1129523183_thumb.jpg

    Filesize

    43KB

    MD5

    92e83ad6848c41c37565e5fcb47e9e36

    SHA1

    2e5bf330b4ae59becd22ebb3c55632e28e5cc5e2

    SHA256

    9feeb10f3313a11e1de6eae649e98f03fbfdb9644aa7df7b12db9c9f99668db5

    SHA512

    8e948e12320b19914813367a3b7b999526590dd6d0f5c68a9aa47350e3a4a25d239a705720a97f33156ba713d74d978709f9b350db9c3e7e12328e8e0d013a8a

  • C:\Windows\SysWOW64\CKM.001

    Filesize

    1KB

    MD5

    a7e6484b6d2a29c51de7a83766ef45f5

    SHA1

    3da70caf64f07266cfe82b0fdbc3e68211e5d159

    SHA256

    0defa934ee175c5716fa823065da249128a77659178f29076e72beef9e5f1d28

    SHA512

    d2eb662817f4a46a4866ab26fdf950c1a2e04d28b4cc79a9c26b12b617b018e9970817136590f0ce9eeef2d033766ebbb9985f8b4138901601612f50ca9b5aa5

  • C:\Windows\SysWOW64\CKM.exe

    Filesize

    244KB

    MD5

    3d940db5a36c4850146a7515f36bf64e

    SHA1

    77e61d2cddbfe4722f623197856a8053a9d6ca73

    SHA256

    ba471b072fc8d13d946754e6cacc41c2c992581018bff3d051d4a07b5b2bc375

    SHA512

    ab629b4436dcec4e65899bb9c66263a0d74a48be6ced4a5fd472b20959e858bc69772a1f74b5b20c06ec4860ff03d01bb20074d2c79b567b60480c80c1648d83

  • \Users\Admin\AppData\Local\Temp\@1F82.tmp

    Filesize

    4KB

    MD5

    b3ce78b324bbaf657fa5dfb80270240d

    SHA1

    3eacec137e3e0c898e916dfebee4668aa2c6ef3d

    SHA256

    da289a8e9545c71918bda3fa6f84e45eaec17a7016be8c885f35940aebfcd486

    SHA512

    1494fa678289bee54ff554e1fd7e63ca38f22135d60afc7b95a566879592d00e9cf29fd2e31d541ad0881fd28c057928c467e002965a21944467232852fda068

  • memory/1172-19-0x00000000001A0000-0x00000000001A2000-memory.dmp

    Filesize

    8KB

  • memory/2380-18-0x00000000022C0000-0x00000000022C2000-memory.dmp

    Filesize

    8KB