Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/01/2025, 15:05
Behavioral task
behavioral1
Sample
JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe
-
Size
2.2MB
-
MD5
6b5991fe1c54e2dee8efb0a6752a1099
-
SHA1
73735a5b949d0175156c7234787a452b6d0d50c9
-
SHA256
f6a427e78f0905ac2b8cfd882bf4c409e567c67163cdcef6fdbe9277d4a5f283
-
SHA512
9a7336946325e0105b28025da2d05a111dafdbfaf58420b84bb365393043510a3ac5fa21ed39c90f31a02ac8f7b2d37ea5454f4b98718429d226b0b175e15b62
-
SSDEEP
24576:fOkeXzdpiaeS6wbvusjfssaalU8dRlde688c9O75qbFv8f5p24scaOdJS:fcqq6qGiEaU8dRlf8f9D0xO
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0005000000019350-30.dat family_ardamax -
Executes dropped EXE 2 IoCs
pid Process 1792 signature.exe 2884 QHEJ.exe -
Loads dropped DLL 11 IoCs
pid Process 1276 JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe 1276 JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe 1792 signature.exe 1792 signature.exe 1792 signature.exe 2884 QHEJ.exe 2884 QHEJ.exe 1788 rundll32.exe 1788 rundll32.exe 2628 AcroRd32.exe 2628 AcroRd32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QHEJ Agent = "C:\\Windows\\SysWOW64\\28463\\QHEJ.exe" QHEJ.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\28463 QHEJ.exe File created C:\Windows\SysWOW64\28463\QHEJ.001 signature.exe File created C:\Windows\SysWOW64\28463\QHEJ.006 signature.exe File created C:\Windows\SysWOW64\28463\QHEJ.007 signature.exe File created C:\Windows\SysWOW64\28463\QHEJ.exe signature.exe -
resource yara_rule behavioral1/memory/1276-0-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral1/memory/1276-16-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language signature.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QHEJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2628 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2884 QHEJ.exe Token: SeIncBasePriorityPrivilege 2884 QHEJ.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2884 QHEJ.exe 2884 QHEJ.exe 2884 QHEJ.exe 2884 QHEJ.exe 2884 QHEJ.exe 2628 AcroRd32.exe 2628 AcroRd32.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1276 wrote to memory of 1788 1276 JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe 30 PID 1276 wrote to memory of 1788 1276 JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe 30 PID 1276 wrote to memory of 1788 1276 JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe 30 PID 1276 wrote to memory of 1788 1276 JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe 30 PID 1276 wrote to memory of 1788 1276 JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe 30 PID 1276 wrote to memory of 1788 1276 JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe 30 PID 1276 wrote to memory of 1788 1276 JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe 30 PID 1276 wrote to memory of 1792 1276 JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe 31 PID 1276 wrote to memory of 1792 1276 JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe 31 PID 1276 wrote to memory of 1792 1276 JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe 31 PID 1276 wrote to memory of 1792 1276 JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe 31 PID 1792 wrote to memory of 2884 1792 signature.exe 32 PID 1792 wrote to memory of 2884 1792 signature.exe 32 PID 1792 wrote to memory of 2884 1792 signature.exe 32 PID 1792 wrote to memory of 2884 1792 signature.exe 32 PID 1788 wrote to memory of 2628 1788 rundll32.exe 33 PID 1788 wrote to memory of 2628 1788 rundll32.exe 33 PID 1788 wrote to memory of 2628 1788 rundll32.exe 33 PID 1788 wrote to memory of 2628 1788 rundll32.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b5991fe1c54e2dee8efb0a6752a1099.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\header.psd2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\header.psd"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
-
C:\Users\Admin\AppData\Local\Temp\signature.exe"C:\Users\Admin\AppData\Local\Temp\signature.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\28463\QHEJ.exe"C:\Windows\system32\28463\QHEJ.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5ee7f7f35162af67150038a6b083648e9
SHA132758528efca36d45dead82da990ffaaf4465866
SHA2562e8e8dd204d47749b588b3e3c6af15e08b8e9545bc2f6ac6dd8962328a0391e4
SHA512f3ec99fef186b1914b0aa840b15a8c511207486f1f664fd6f9d1eea14ff515957c1c66650c7af30f9b997b0b5f7fce995842a235ba19f64195790902b98438e8
-
Filesize
894KB
MD58a30bd816fce0f7f30570f74de041f43
SHA188320c6c902ad73e041c4fa9deea532e5a13df87
SHA256dc42d8978c71c2a79b12a2ad07489e455121546e924c5513afe5a1219ea3e289
SHA512aa67ec8988a4f2035b0301eb4a3007be7404e7c6f9dc0b7b7a2678f0fcce40e9556b1ee9dc967b52e1346612f3d11cfdaaf4d3892d0ff5fd074835af61d3ee54
-
Filesize
3KB
MD5ee2fc4d9ab3b52e2b11d865286c6ca98
SHA1a091087204464ebec17f19c798fab9439ad70276
SHA2562d7bb0ad19abf9f4201404d9cd422daa3b6ef5b382b9d28e605c8c4cb0f8fec9
SHA5126d132bdcc55b03a9965603f5a11601e2e7d09c462356415f6a04c06091a30c2adce72413d7e883947989fad9f53b36d71b9d19ae071cd728dca5d73b2fa11b95
-
Filesize
422B
MD53a5ff6b2528a10f5097dc335c20413e8
SHA112c54771b8ad4016716a32972c62296579d32ff3
SHA25682e0b8349d72ec3e0e7a607ad0913a8f3a507f04c1cffaaf951b2f15d72ad13b
SHA512058376e1fee27fdcfd0c8dfbecc17155d0c7d69a637a04fb41b5cb8bf9bc0c46d58e7a5a58e8dd1199b42ae6fd7915fd8f4e9fde3492c5a4b6048e3a911af4ef
-
Filesize
8KB
MD5aae8ccee5d5eed5748d13f474123efea
SHA16da78da4de3b99a55fad00be2ec53a3ad3bd06ae
SHA25610c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8
SHA512d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd
-
Filesize
5KB
MD540685d22d05d92462a2cfc1bba9a81b7
SHA1f0e19012d0ed000148898b1e1264736bed438da8
SHA256cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0
SHA51221961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b
-
Filesize
473KB
MD5339ae4ce820cda75bbb363b2ed1c06fd
SHA162399c6102cc98ed66cbcd88a63ff870cf7b2100
SHA2561e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6
SHA5125da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a
-
Filesize
4KB
MD527092ec75c1839f36bfe900a38acc484
SHA1fe14b750a0ed653246c5f358891f8c1241913bb2
SHA256e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07
SHA512815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b