Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/02/2025, 04:32
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe
-
Size
2.3MB
-
MD5
8fe47798bc47d7b775803e1dbef3c8be
-
SHA1
bce6475d95dc735f3c0f308d40916f2931a7955b
-
SHA256
ed4a22e4be09281a3450114792f3ebfae0c0b1106b96331c30c6cef4d6b73618
-
SHA512
fef0aaaea2464223f9897f97911ae38bda6411e88261095c8b25f766f1d0c86dfdec4b86ea03faceaac462a042d7ac55cda96254c1327eeed1b69923f090090f
-
SSDEEP
49152:vucTMaQtsTAcapB8h6S8MKOaK6P0h04dg310EcZ09EjvMj:vcJsTxgBd7tI6PS04eKEEbMj
Malware Config
Extracted
Protocol: ftp- Host:
ftp.drivehq.com - Port:
21 - Username:
rui.costa
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016cab-6.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 2784 GPU.exe -
Loads dropped DLL 4 IoCs
pid Process 2380 JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe 2784 GPU.exe 2380 JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe 2672 WINWORD.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GPU Start = "C:\\Windows\\SysWOW64\\RYYGCG\\GPU.exe" GPU.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\RYYGCG\GPU.001 JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe File opened for modification C:\Windows\SysWOW64\RYYGCG\ GPU.exe File opened for modification C:\Windows\SysWOW64\RYYGCG\GPU.008 GPU.exe File created C:\Windows\SysWOW64\RYYGCG\App_Feb_04_2025__04_33_01.html GPU.exe File created C:\Windows\SysWOW64\RYYGCG\GPU.008 GPU.exe File created C:\Windows\SysWOW64\RYYGCG\GPU.004 JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe File created C:\Windows\SysWOW64\RYYGCG\GPU.002 JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe File created C:\Windows\SysWOW64\RYYGCG\AKV.exe JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe File created C:\Windows\SysWOW64\RYYGCG\GPU.exe JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GPU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2672 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2784 GPU.exe 2784 GPU.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2784 GPU.exe Token: SeIncBasePriorityPrivilege 2784 GPU.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2784 GPU.exe 2784 GPU.exe 2784 GPU.exe 2784 GPU.exe 2672 WINWORD.EXE 2672 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2784 2380 JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe 30 PID 2380 wrote to memory of 2784 2380 JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe 30 PID 2380 wrote to memory of 2784 2380 JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe 30 PID 2380 wrote to memory of 2784 2380 JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe 30 PID 2380 wrote to memory of 2672 2380 JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe 31 PID 2380 wrote to memory of 2672 2380 JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe 31 PID 2380 wrote to memory of 2672 2380 JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe 31 PID 2380 wrote to memory of 2672 2380 JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe 31 PID 2672 wrote to memory of 3004 2672 WINWORD.EXE 33 PID 2672 wrote to memory of 3004 2672 WINWORD.EXE 33 PID 2672 wrote to memory of 3004 2672 WINWORD.EXE 33 PID 2672 wrote to memory of 3004 2672 WINWORD.EXE 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8fe47798bc47d7b775803e1dbef3c8be.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\RYYGCG\GPU.exe"C:\Windows\system32\RYYGCG\GPU.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2784
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Sobradelo.docx"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:3004
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD55c1a4ef8f1642dc7d47b9ed8e488119d
SHA1648fc017422d9703c12e44fb31a9bc19d9074ed3
SHA2561e0dd3eda8a3a157b960922165c4539a96daf88b47d302c381a76b6624b4a8b4
SHA512612e42bcb23e6d59d316cb069b8f95fbee896a0874312a0becf2f7e10fd297df80144bc9e411464f141ce4a1d568496d803933acba045bb843eda99a2bc69aa0
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
487KB
MD5eb9f503f6859a5161bcb9aeac042ceab
SHA1d46039f98020e296bbd6455c834c6299528c821b
SHA25651fc5b6f1711fd6b4b5945d935d37f57609eafa68d865c1ec1464b0ab221830c
SHA512fa034d6292e0c16bb4958f1efe2b51577db99df6ccdb2223ba3fee4bab1796a5d4fa37667c077296da22e4c67d39ae0667a428f774aa2d5d3c7750a28320d33d
-
Filesize
518B
MD579641b6731f27076fe7c5fabb60d6d38
SHA1bb1a61fd2bd6aca516e086b37288fbdb44c5d947
SHA256500e437ab249ce874ac0aa23e0036593a2f238cee484e346574ff69e698a01f7
SHA5126757b6d1e83abaf8b337f686029b7dd81422dbce23993cda829d6fb08a6b06cb1232d9729784033003cb63b0cbaaaa92eab7bcc11b8338970183421f10372544
-
Filesize
61KB
MD52666d675f8905ce58b7e961ffbfe8f61
SHA1afa6625a916d27da14a591feba03352b2afb91cc
SHA2561594c6986d0e4339825e2c812791c54c912d8358a76b6058da0bf6bba5f5c697
SHA51281193afcb9406ea906db628ae434f576b6e4e2959674902cf8c2b11f5c7007b384a8e0385a6889637506f289d4849dd8dcb32dee9302363834333ef7813a2778
-
Filesize
44KB
MD552f41f282445a7a75238c2bf31ff7b7d
SHA15b5c5eb4066e2c583137dff7e1333b89640514a7
SHA2563a9e12f314bf9b5f043f3f05556b244a7ba244d3625f8adbd9cb59e9385ac4f3
SHA512bc6e2959be659a86a2de4bb1dbae8171a6b02e39fd98e948c1c40e96e101e73af274e6ceb590fd5aa5e5cb558e8e80fb79aac0162cdc2266ab1b173bda419107
-
Filesize
1KB
MD5ed29d01a82e5b08ab40cf5c3f5fcc932
SHA1f6b115bca43516233654b96eecdabfcafc3e25c1
SHA2562550b2e4567960465b7b486b390a2d6068f5b81f4d529fd70b103061213255e7
SHA512096bcc1e7c2b63ead8e4be8ee1c47217de39db6c6c9f62a22c3c2aa6b05d2c7133bafb07a934aa4f0a07ad3d14092ac0e3fb3fcd9ad7f917622e563dab6a202a
-
Filesize
1.7MB
MD568c19411dc10799efff9cfdb1dfa6ea3
SHA1b337a16ee1a383ff4406fdaf65816f67174a6ec6
SHA256a8565859541d680f0d8c74acdc0e0fee438de817785f4f596e470bdbefca0855
SHA51216a2d576df4a24fa7f973e8e588f8cc79281d03343510344e6ef4ff8e3903e3a7751f38ef4f1c9fa2f8bdfaf3181b4fecae6905833df861c98e5b7b993a429d3