Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2025, 13:01
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe
-
Size
608KB
-
MD5
71fbbc5924741e4d7edc1b689a5d9882
-
SHA1
44d520f8d1f0a3dcf9e6be7996131fc9e57d05a9
-
SHA256
d44d06840e3fccfa5616f98f8dfd2b8de78242040fe7cc14db1cd78bc165f1e7
-
SHA512
c068c9e247c8382df94560404671a6eef8f27f71efffa01557ea88dddea9487c40dbab2512bc6b055cc5fbe0307eb276e419518b09d515a501ece47ce89d120d
-
SSDEEP
12288:1uEQlKRShvraBT31+I9K717p0tSN6iPSuCbnjrIC/YJw4TNWFXrNrtAr:1CScvrJBitSV4bIC/yfm9
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x000500000001e682-20.dat family_ardamax -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe Key value queried \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation Install.exe -
Executes dropped EXE 2 IoCs
pid Process 656 Install.exe 2752 SAUF.exe -
Loads dropped DLL 4 IoCs
pid Process 656 Install.exe 2752 SAUF.exe 2752 SAUF.exe 2752 SAUF.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SAUF Agent = "C:\\Windows\\SysWOW64\\28463\\SAUF.exe" SAUF.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\28463\key.bin Install.exe File opened for modification C:\Windows\SysWOW64\28463 SAUF.exe File created C:\Windows\SysWOW64\28463\SAUF.001 Install.exe File created C:\Windows\SysWOW64\28463\SAUF.006 Install.exe File created C:\Windows\SysWOW64\28463\SAUF.007 Install.exe File created C:\Windows\SysWOW64\28463\SAUF.exe Install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SAUF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 35 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\InprocServer32\ SAUF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\0 SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\VersionIndependentProgID\ SAUF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\Programmable SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\0\ SAUF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\HELPDIR SAUF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\InprocServer32 SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\ProgID\ SAUF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\FLAGS SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\ = "Owodipcoj Cozakmol Class" SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\ SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\ = "VideoLAN VLC ActiveX Plugin" SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\FLAGS\ SAUF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\Version SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\InprocServer32\ = "C:\\Windows\\SysWOW64\\RegCtrl.dll" SAUF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\ProgID SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\ProgID\ = "RegisterControl.Register.1" SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\ SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\HELPDIR\ SAUF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\TypeLib SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\TypeLib\ = "{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}" SAUF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB} SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\FLAGS\ = "0" SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\TypeLib\ SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\Programmable\ SAUF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0 SAUF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\0\win64 SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\0\win64\ SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\HELPDIR\ = "C:\\Program Files\\VideoLAN\\VLC" SAUF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\VersionIndependentProgID SAUF.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61} SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C6487F7E-3061-40F4-5B4B-DF7FB62D8CDB}\1.0\0\win64\ = "C:\\Program Files\\VideoLAN\\VLC\\axvlc.dll" SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\Version\ SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\Version\ = "1.0" SAUF.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{401AE7F5-1B53-4C4D-C4BD-CB49CCEB6C61}\VersionIndependentProgID\ = "RegisterControl.Register" SAUF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2752 SAUF.exe Token: SeIncBasePriorityPrivilege 2752 SAUF.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2752 SAUF.exe 2752 SAUF.exe 2752 SAUF.exe 2752 SAUF.exe 2752 SAUF.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4560 wrote to memory of 656 4560 JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe 88 PID 4560 wrote to memory of 656 4560 JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe 88 PID 4560 wrote to memory of 656 4560 JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe 88 PID 4560 wrote to memory of 4916 4560 JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe 89 PID 4560 wrote to memory of 4916 4560 JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe 89 PID 4560 wrote to memory of 4916 4560 JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe 89 PID 656 wrote to memory of 2752 656 Install.exe 91 PID 656 wrote to memory of 2752 656 Install.exe 91 PID 656 wrote to memory of 2752 656 Install.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71fbbc5924741e4d7edc1b689a5d9882.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\28463\SAUF.exe"C:\Windows\system32\28463\SAUF.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2752
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE >> NUL2⤵
- System Location Discovery: System Language Discovery
PID:4916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5557e0039dc13a0453af7ca9373a0d301
SHA150efb19b1b1eddd10ddb4c2ff23d18cccba92dfe
SHA25654850e4c8644c042b15dab73a15135105ff84a240d26d1476c8b80d176a341fc
SHA512d96fdc89ddbcd8459966c9548d3243a0fa319f8be2f418b4e17f313fb3f86d32dd7f254a035641f35e35ed849832773c0d1fe34ff362761309c64e959c025a98
-
Filesize
590KB
MD5dc7a20e6fcd4a76e14d3245796a36b13
SHA1be9435bb144e9a0c5291876f40ee54ea2d2ea195
SHA2560ddf2d4b7e78a971a551b82f95072fbf05266842149d8c5306bb2f4ed2dba9e9
SHA512f4cc2ab3ab95a67fa42a199bb30503d2e0af108d928bd49428892ea233e430e3a961fe930d7431885cd8015879b8db99fcf63f467bb3f0f2528bd15646941213
-
Filesize
428B
MD58efe2ac4145729cd42e0004e674658ae
SHA1d3fb66e77cc7cbdc0fb75b214ca97b74c48268be
SHA2566d60dc6f1b5c7f4e8d17eeadec85a91821977ae6e8813a2b5bd715f3e61d800a
SHA5127bc6003a5c813f6f9def80e5b4ca58dbafafefc91b651e0d8838b4dd8f253e2c009ba6fb62d5f6035185bd052b01793d252a3f2cfa8b2304fc064b9af1905709
-
Filesize
8KB
MD55153b016d36928c296131c5c8e669446
SHA1c444f61a2dc49ede6a2325f26d76af66de5989d2
SHA2564c52ec0d5d4cad21ed134af76f64c3cb44b826594641f44487e4625f5bc96f59
SHA512c9084ff30f1f023b1f9cd00dc66cdbf846e95993093163c3e71a13535ccfc79d59be5b28a78ccfa6b0a82389b08b157676d71a9ccca2c170369080feac386f09
-
Filesize
5KB
MD580bbc7ace13d97396bd7b1abbaf4008b
SHA1d013c0def603915675b1e0ce5877d413cdaf6523
SHA25618dbfb27d4b10501e8426db1a78df8247f6570656d183f78b061d7db4c7865ae
SHA512bc7afd0e730f432852d374812827077574181928aa97c25d8170ce1b766677383360bf2bb21afc51e8168eb3f6539ce8499c4002d86190f27d4836da3f907919
-
Filesize
648KB
MD55530832fa82582288ce640f73a4915a0
SHA1c40673ed59a61dd3b39f8ed6d0e1345838d98e44
SHA2566f7daff3caf7f24a00e08e4ed414b4d23e13d2cac4657ad7a071d9cbeb42cb88
SHA512ee2a2dc3c85a13b39f15a276f842afab8d341aacb457c1750b8bf0fa46b03a3bfabeff5be6439f3edf2c428d504ecabf07a399ebbdb09a75693309b55903775c
-
Filesize
105B
MD527c90d4d9b049f4cd00f32ed1d2e5baf
SHA1338a3ea8f1e929d8916ece9b6e91e697eb562550
SHA256172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb
SHA512d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae