Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/02/2025, 13:52

General

  • Target

    JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe

  • Size

    153KB

  • MD5

    b7ba1a8dc1d5bf883c4b3efce6f15d68

  • SHA1

    a1e45eae1edf814c5255e3a6b61d3907b79714f9

  • SHA256

    5a1bb016ae7fc2af89399c668a5a26b5d19315b1a5244f797d45ea5626e19c84

  • SHA512

    8ec4c6d5c1c5882e8dd83a4a08910d436f2214ac78b2f81af850fe8a9ad137ca53bdc55b2abe5dae68ebaac6aefcc3c60f23b899096bbaac63f4b1c20586884b

  • SSDEEP

    3072:kOOCiAqW84BFhW9rvaez9FjtpjaSv0P8LpEOK0sW3zR:irW8UW9ndY8LptXsMR

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7ba1a8dc1d5bf883c4b3efce6f15d68.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Windows\SysWOW64\CKM.exe
      "C:\Windows\system32\CKM.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4212
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CKM.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3240
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ReadMe.txt
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      PID:1176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@90D6.tmp

    Filesize

    4KB

    MD5

    b3ce78b324bbaf657fa5dfb80270240d

    SHA1

    3eacec137e3e0c898e916dfebee4668aa2c6ef3d

    SHA256

    da289a8e9545c71918bda3fa6f84e45eaec17a7016be8c885f35940aebfcd486

    SHA512

    1494fa678289bee54ff554e1fd7e63ca38f22135d60afc7b95a566879592d00e9cf29fd2e31d541ad0881fd28c057928c467e002965a21944467232852fda068

  • C:\Users\Admin\AppData\Local\Temp\ReadMe.txt

    Filesize

    5KB

    MD5

    1848bdda17e4560b033c282af1db265b

    SHA1

    37ebab66cdfa798e6671e0f7829c08210f73a753

    SHA256

    a3899bf34fa2697bd3664235ebde77385a95385a2cc8a1d76bf7037388f04508

    SHA512

    4c8faf87015465feac745e9df0f1609925eb8887bb9b1e030b05430bceeae8b3649b2797e9035809c0d70498bd54bf3aa8b099ac78ec0a4f44f2ea222958385e

  • C:\Windows\SysWOW64\CKM.001

    Filesize

    2KB

    MD5

    25c4149081f0a4d21b3e7e478a24bdb6

    SHA1

    f2725d81c27ce4b406380caddcc0a519f6296619

    SHA256

    c3ac4a2d3cc20461e6d7b3e0bcbeb57b00716d6efbda2774133e0daf12a8c196

    SHA512

    d9996ff0360c34c80e205730ca0d7204162db214c0dbc9495aa7bffb4f6287749ba867da03760a0b54eda9e99f757323966b5adc8e5f300a299777ed726dbc26

  • C:\Windows\SysWOW64\CKM.006

    Filesize

    4KB

    MD5

    2ae55889b93c5fac99ae642d1c9279b9

    SHA1

    640ff431cf80e0e811a74060efdb0c27c2ac4459

    SHA256

    b7025d43db6c92a011df5f8a5f90c6c4401875543a994dc3434ac52480a3941d

    SHA512

    62b3b8c892ecfa40d08783f005064fdd0e7eebbb3459ee7f646b492f541f7907fbd9e479e60142ad9d2318dca693fc57cf57add079e33397a3f2c8667da0ee92

  • C:\Windows\SysWOW64\CKM.007

    Filesize

    6KB

    MD5

    9da988ab33fdcfd9acda5dd39f2744d0

    SHA1

    0f66b673b9c6ecc738cb422141943926b422db53

    SHA256

    4f0d74d577a6282e1b1e37ef68a24a267a57473cd1269632fe718cc7009fa36a

    SHA512

    e11f81240cd4c1ecc2ccc5ebafa1bfd15993e6923c711d0bab148250c17571bbf1f6ad9d8725cc187608dd8585b148cbc6caba49257d279a4f1b5b3a6291909c

  • C:\Windows\SysWOW64\CKM.exe

    Filesize

    244KB

    MD5

    3d940db5a36c4850146a7515f36bf64e

    SHA1

    77e61d2cddbfe4722f623197856a8053a9d6ca73

    SHA256

    ba471b072fc8d13d946754e6cacc41c2c992581018bff3d051d4a07b5b2bc375

    SHA512

    ab629b4436dcec4e65899bb9c66263a0d74a48be6ced4a5fd472b20959e858bc69772a1f74b5b20c06ec4860ff03d01bb20074d2c79b567b60480c80c1648d83