Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2025, 04:32

General

  • Target

    JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe

  • Size

    2.3MB

  • MD5

    8fe47798bc47d7b775803e1dbef3c8be

  • SHA1

    bce6475d95dc735f3c0f308d40916f2931a7955b

  • SHA256

    ed4a22e4be09281a3450114792f3ebfae0c0b1106b96331c30c6cef4d6b73618

  • SHA512

    fef0aaaea2464223f9897f97911ae38bda6411e88261095c8b25f766f1d0c86dfdec4b86ea03faceaac462a042d7ac55cda96254c1327eeed1b69923f090090f

  • SSDEEP

    49152:vucTMaQtsTAcapB8h6S8MKOaK6P0h04dg310EcZ09EjvMj:vcJsTxgBd7tI6PS04eKEEbMj

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.drivehq.com
  • Port:
    21
  • Username:
    rui.costa

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\RYYGCG\GPU.exe
      "C:\Windows\system32\RYYGCG\GPU.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2784
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Sobradelo.docx"
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:3004

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Sobradelo.docx

      Filesize

      1.2MB

      MD5

      5c1a4ef8f1642dc7d47b9ed8e488119d

      SHA1

      648fc017422d9703c12e44fb31a9bc19d9074ed3

      SHA256

      1e0dd3eda8a3a157b960922165c4539a96daf88b47d302c381a76b6624b4a8b4

      SHA512

      612e42bcb23e6d59d316cb069b8f95fbee896a0874312a0becf2f7e10fd297df80144bc9e411464f141ce4a1d568496d803933acba045bb843eda99a2bc69aa0

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • C:\Windows\SysWOW64\RYYGCG\AKV.exe

      Filesize

      487KB

      MD5

      eb9f503f6859a5161bcb9aeac042ceab

      SHA1

      d46039f98020e296bbd6455c834c6299528c821b

      SHA256

      51fc5b6f1711fd6b4b5945d935d37f57609eafa68d865c1ec1464b0ab221830c

      SHA512

      fa034d6292e0c16bb4958f1efe2b51577db99df6ccdb2223ba3fee4bab1796a5d4fa37667c077296da22e4c67d39ae0667a428f774aa2d5d3c7750a28320d33d

    • C:\Windows\SysWOW64\RYYGCG\Feb_04_2025__04_33_01.008

      Filesize

      518B

      MD5

      79641b6731f27076fe7c5fabb60d6d38

      SHA1

      bb1a61fd2bd6aca516e086b37288fbdb44c5d947

      SHA256

      500e437ab249ce874ac0aa23e0036593a2f238cee484e346574ff69e698a01f7

      SHA512

      6757b6d1e83abaf8b337f686029b7dd81422dbce23993cda829d6fb08a6b06cb1232d9729784033003cb63b0cbaaaa92eab7bcc11b8338970183421f10372544

    • C:\Windows\SysWOW64\RYYGCG\GPU.001

      Filesize

      61KB

      MD5

      2666d675f8905ce58b7e961ffbfe8f61

      SHA1

      afa6625a916d27da14a591feba03352b2afb91cc

      SHA256

      1594c6986d0e4339825e2c812791c54c912d8358a76b6058da0bf6bba5f5c697

      SHA512

      81193afcb9406ea906db628ae434f576b6e4e2959674902cf8c2b11f5c7007b384a8e0385a6889637506f289d4849dd8dcb32dee9302363834333ef7813a2778

    • C:\Windows\SysWOW64\RYYGCG\GPU.002

      Filesize

      44KB

      MD5

      52f41f282445a7a75238c2bf31ff7b7d

      SHA1

      5b5c5eb4066e2c583137dff7e1333b89640514a7

      SHA256

      3a9e12f314bf9b5f043f3f05556b244a7ba244d3625f8adbd9cb59e9385ac4f3

      SHA512

      bc6e2959be659a86a2de4bb1dbae8171a6b02e39fd98e948c1c40e96e101e73af274e6ceb590fd5aa5e5cb558e8e80fb79aac0162cdc2266ab1b173bda419107

    • C:\Windows\SysWOW64\RYYGCG\GPU.004

      Filesize

      1KB

      MD5

      ed29d01a82e5b08ab40cf5c3f5fcc932

      SHA1

      f6b115bca43516233654b96eecdabfcafc3e25c1

      SHA256

      2550b2e4567960465b7b486b390a2d6068f5b81f4d529fd70b103061213255e7

      SHA512

      096bcc1e7c2b63ead8e4be8ee1c47217de39db6c6c9f62a22c3c2aa6b05d2c7133bafb07a934aa4f0a07ad3d14092ac0e3fb3fcd9ad7f917622e563dab6a202a

    • \Windows\SysWOW64\RYYGCG\GPU.exe

      Filesize

      1.7MB

      MD5

      68c19411dc10799efff9cfdb1dfa6ea3

      SHA1

      b337a16ee1a383ff4406fdaf65816f67174a6ec6

      SHA256

      a8565859541d680f0d8c74acdc0e0fee438de817785f4f596e470bdbefca0855

      SHA512

      16a2d576df4a24fa7f973e8e588f8cc79281d03343510344e6ef4ff8e3903e3a7751f38ef4f1c9fa2f8bdfaf3181b4fecae6905833df861c98e5b7b993a429d3

    • memory/2672-23-0x000000002FAD1000-0x000000002FAD2000-memory.dmp

      Filesize

      4KB

    • memory/2672-28-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2672-29-0x0000000070CFD000-0x0000000070D08000-memory.dmp

      Filesize

      44KB

    • memory/2672-47-0x0000000070CFD000-0x0000000070D08000-memory.dmp

      Filesize

      44KB

    • memory/2784-46-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

    • memory/2784-16-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB