Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/01/2025, 15:05 UTC

General

  • Target

    JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe

  • Size

    222KB

  • MD5

    369f3b0d8a6237be175eae349bb4bb5e

  • SHA1

    b828824c1c111b22605aa0b6a7671d7dab2c032a

  • SHA256

    4fbc330b4a0a7b524d6e4fbe166b2e644a87cb0b228c07fd84d9d6f46e93be6b

  • SHA512

    293d8bb0113886defe407dda0a18ecd315eab54fb78188984550dd21076bb2683c719c90a93dc3f3755596dd05563a0f2f5163ed626cffadfe90aa91770e45ee

  • SSDEEP

    6144:kuylTvWzCVkCELU0LPRpL/yqmuYyOhcpqK:kuy9v4Yk5LU0d9yPuNr

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_369f3b0d8a6237be175eae349bb4bb5e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\CKM.exe
      "C:\Windows\system32\CKM.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2872
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\post-6708-1129523183_thumb.jpg

    Filesize

    43KB

    MD5

    92e83ad6848c41c37565e5fcb47e9e36

    SHA1

    2e5bf330b4ae59becd22ebb3c55632e28e5cc5e2

    SHA256

    9feeb10f3313a11e1de6eae649e98f03fbfdb9644aa7df7b12db9c9f99668db5

    SHA512

    8e948e12320b19914813367a3b7b999526590dd6d0f5c68a9aa47350e3a4a25d239a705720a97f33156ba713d74d978709f9b350db9c3e7e12328e8e0d013a8a

  • C:\Windows\SysWOW64\CKM.001

    Filesize

    1KB

    MD5

    a7e6484b6d2a29c51de7a83766ef45f5

    SHA1

    3da70caf64f07266cfe82b0fdbc3e68211e5d159

    SHA256

    0defa934ee175c5716fa823065da249128a77659178f29076e72beef9e5f1d28

    SHA512

    d2eb662817f4a46a4866ab26fdf950c1a2e04d28b4cc79a9c26b12b617b018e9970817136590f0ce9eeef2d033766ebbb9985f8b4138901601612f50ca9b5aa5

  • C:\Windows\SysWOW64\CKM.exe

    Filesize

    244KB

    MD5

    3d940db5a36c4850146a7515f36bf64e

    SHA1

    77e61d2cddbfe4722f623197856a8053a9d6ca73

    SHA256

    ba471b072fc8d13d946754e6cacc41c2c992581018bff3d051d4a07b5b2bc375

    SHA512

    ab629b4436dcec4e65899bb9c66263a0d74a48be6ced4a5fd472b20959e858bc69772a1f74b5b20c06ec4860ff03d01bb20074d2c79b567b60480c80c1648d83

  • \Users\Admin\AppData\Local\Temp\@1F82.tmp

    Filesize

    4KB

    MD5

    b3ce78b324bbaf657fa5dfb80270240d

    SHA1

    3eacec137e3e0c898e916dfebee4668aa2c6ef3d

    SHA256

    da289a8e9545c71918bda3fa6f84e45eaec17a7016be8c885f35940aebfcd486

    SHA512

    1494fa678289bee54ff554e1fd7e63ca38f22135d60afc7b95a566879592d00e9cf29fd2e31d541ad0881fd28c057928c467e002965a21944467232852fda068

  • memory/1172-19-0x00000000001A0000-0x00000000001A2000-memory.dmp

    Filesize

    8KB

  • memory/2380-18-0x00000000022C0000-0x00000000022C2000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.