Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/02/2025, 13:52
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe
-
Size
153KB
-
MD5
b7ba1a8dc1d5bf883c4b3efce6f15d68
-
SHA1
a1e45eae1edf814c5255e3a6b61d3907b79714f9
-
SHA256
5a1bb016ae7fc2af89399c668a5a26b5d19315b1a5244f797d45ea5626e19c84
-
SHA512
8ec4c6d5c1c5882e8dd83a4a08910d436f2214ac78b2f81af850fe8a9ad137ca53bdc55b2abe5dae68ebaac6aefcc3c60f23b899096bbaac63f4b1c20586884b
-
SSDEEP
3072:kOOCiAqW84BFhW9rvaez9FjtpjaSv0P8LpEOK0sW3zR:irW8UW9ndY8LptXsMR
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x000600000001878c-9.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 1740 CKM.exe -
Loads dropped DLL 8 IoCs
pid Process 2340 JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe 2340 JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe 2340 JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe 1740 CKM.exe 1740 CKM.exe 2304 NOTEPAD.EXE 2304 NOTEPAD.EXE 2304 NOTEPAD.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\CKM.exe JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe File created C:\Windows\SysWOW64\CKM.001 JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe File created C:\Windows\SysWOW64\CKM.006 JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe File created C:\Windows\SysWOW64\CKM.007 JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64 CKM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CKM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2304 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 1740 CKM.exe Token: SeIncBasePriorityPrivilege 1740 CKM.exe Token: SeIncBasePriorityPrivilege 1740 CKM.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1740 CKM.exe 1740 CKM.exe 1740 CKM.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2340 wrote to memory of 1740 2340 JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe 30 PID 2340 wrote to memory of 1740 2340 JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe 30 PID 2340 wrote to memory of 1740 2340 JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe 30 PID 2340 wrote to memory of 1740 2340 JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe 30 PID 2340 wrote to memory of 2304 2340 JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe 31 PID 2340 wrote to memory of 2304 2340 JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe 31 PID 2340 wrote to memory of 2304 2340 JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe 31 PID 2340 wrote to memory of 2304 2340 JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe 31 PID 1740 wrote to memory of 2244 1740 CKM.exe 33 PID 1740 wrote to memory of 2244 1740 CKM.exe 33 PID 1740 wrote to memory of 2244 1740 CKM.exe 33 PID 1740 wrote to memory of 2244 1740 CKM.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\CKM.exe"C:\Windows\system32\CKM.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CKM.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:2244
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ReadMe.txt2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD51848bdda17e4560b033c282af1db265b
SHA137ebab66cdfa798e6671e0f7829c08210f73a753
SHA256a3899bf34fa2697bd3664235ebde77385a95385a2cc8a1d76bf7037388f04508
SHA5124c8faf87015465feac745e9df0f1609925eb8887bb9b1e030b05430bceeae8b3649b2797e9035809c0d70498bd54bf3aa8b099ac78ec0a4f44f2ea222958385e
-
Filesize
2KB
MD525c4149081f0a4d21b3e7e478a24bdb6
SHA1f2725d81c27ce4b406380caddcc0a519f6296619
SHA256c3ac4a2d3cc20461e6d7b3e0bcbeb57b00716d6efbda2774133e0daf12a8c196
SHA512d9996ff0360c34c80e205730ca0d7204162db214c0dbc9495aa7bffb4f6287749ba867da03760a0b54eda9e99f757323966b5adc8e5f300a299777ed726dbc26
-
Filesize
4KB
MD52ae55889b93c5fac99ae642d1c9279b9
SHA1640ff431cf80e0e811a74060efdb0c27c2ac4459
SHA256b7025d43db6c92a011df5f8a5f90c6c4401875543a994dc3434ac52480a3941d
SHA51262b3b8c892ecfa40d08783f005064fdd0e7eebbb3459ee7f646b492f541f7907fbd9e479e60142ad9d2318dca693fc57cf57add079e33397a3f2c8667da0ee92
-
Filesize
4KB
MD5b3ce78b324bbaf657fa5dfb80270240d
SHA13eacec137e3e0c898e916dfebee4668aa2c6ef3d
SHA256da289a8e9545c71918bda3fa6f84e45eaec17a7016be8c885f35940aebfcd486
SHA5121494fa678289bee54ff554e1fd7e63ca38f22135d60afc7b95a566879592d00e9cf29fd2e31d541ad0881fd28c057928c467e002965a21944467232852fda068
-
Filesize
6KB
MD59da988ab33fdcfd9acda5dd39f2744d0
SHA10f66b673b9c6ecc738cb422141943926b422db53
SHA2564f0d74d577a6282e1b1e37ef68a24a267a57473cd1269632fe718cc7009fa36a
SHA512e11f81240cd4c1ecc2ccc5ebafa1bfd15993e6923c711d0bab148250c17571bbf1f6ad9d8725cc187608dd8585b148cbc6caba49257d279a4f1b5b3a6291909c
-
Filesize
244KB
MD53d940db5a36c4850146a7515f36bf64e
SHA177e61d2cddbfe4722f623197856a8053a9d6ca73
SHA256ba471b072fc8d13d946754e6cacc41c2c992581018bff3d051d4a07b5b2bc375
SHA512ab629b4436dcec4e65899bb9c66263a0d74a48be6ced4a5fd472b20959e858bc69772a1f74b5b20c06ec4860ff03d01bb20074d2c79b567b60480c80c1648d83