Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2025, 18:32
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe
Resource
win10v2004-20250207-en
General
-
Target
JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe
-
Size
501KB
-
MD5
ba23c58e9992ec772753fd2baeb984f8
-
SHA1
e89ede03adb6dbab65e62efe5aa8d52cc97160fa
-
SHA256
0b888923854d882c24fed6d113e02f866a3363f4b1779a47632ddf4c866a1492
-
SHA512
14d678b3a1d98003ba31bcc3f3516831f82129c022a987af15c9c47af3c8bac4f611b7f8da721a2b14ee7bb327bb767a9ba94f1e2dfd276a6d8755235b42d33f
-
SSDEEP
12288:QzQJshOkH5e2FbkGVaCb08U+KVCFQGZ5v0cba2pL:KGshpH5e2FbeCb08JKVCFQc5v0eL
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023d2d-13.dat family_ardamax -
Downloads MZ/PE file 1 IoCs
flow pid Process 19 3216 Process not Found -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation RSXF.exe Key value queried \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe -
Executes dropped EXE 1 IoCs
pid Process 1220 RSXF.exe -
Loads dropped DLL 5 IoCs
pid Process 1584 JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe 1220 RSXF.exe 1220 RSXF.exe 1220 RSXF.exe 4244 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RSXF Agent = "C:\\Windows\\SysWOW64\\28463\\RSXF.exe" RSXF.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\28463\RSXF.001 JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe File created C:\Windows\SysWOW64\28463\RSXF.006 JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe File created C:\Windows\SysWOW64\28463\RSXF.007 JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe File created C:\Windows\SysWOW64\28463\RSXF.exe JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe File created C:\Windows\SysWOW64\28463\AKV.exe JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe File opened for modification C:\Windows\SysWOW64\28463 RSXF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4244 1220 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RSXF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4212 MicrosoftEdgeUpdate.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 33 1220 RSXF.exe Token: SeIncBasePriorityPrivilege 1220 RSXF.exe Token: SeIncBasePriorityPrivilege 1220 RSXF.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1220 RSXF.exe 1220 RSXF.exe 1220 RSXF.exe 1220 RSXF.exe 1220 RSXF.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1584 wrote to memory of 1220 1584 JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe 91 PID 1584 wrote to memory of 1220 1584 JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe 91 PID 1584 wrote to memory of 1220 1584 JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe 91 PID 1220 wrote to memory of 3896 1220 RSXF.exe 99 PID 1220 wrote to memory of 3896 1220 RSXF.exe 99 PID 1220 wrote to memory of 3896 1220 RSXF.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\28463\RSXF.exe"C:\Windows\system32\28463\RSXF.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 10723⤵
- Loads dropped DLL
- Program crash
PID:4244
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\RSXF.exe > nul3⤵
- System Location Discovery: System Language Discovery
PID:3896
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjJCMDk2MUQtNTQzNy00QzI5LTk3OUEtNTQyQzZBNzhBQkZBfSIgdXNlcmlkPSJ7Q0QwOEEwNzUtNzQ2Qi00QkRGLUI4QzItRDYzRjYxNzQ0RDE0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NEMyMjFFMUMtOTBEQy00N0ZFLUI1MTQtMUMwNzQ4RkEwQjdCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0Nzk2NTM1ODA5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1220 -ip 12201⤵PID:4692
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5102f90f4f42551b2acd64923065a2b56
SHA118bbbd1a10b603e05816f5a2baf9a6bed74346a3
SHA256623f4b9a4910c8815d2ab19696668258ff2c30c3adac8967d616f7e60ec619fd
SHA5122c8338799bcd64083dbe8b0e763424962dd024c52996bae590500b7d844595b539549b6c239f68f3866d5fda9db10808e8e9b489031a1e942bc34277f9a1d9d3
-
Filesize
411KB
MD538defc8742dcd7b684e5ae1193e7e668
SHA15710271eb398f63f0f0b209c46460ff9665df9bb
SHA256b74a277270efc272bef1e264dc11289b7f13c651ac7640745df46bf6792c36d1
SHA51246cc4b677af570905ac0c36b4e85030a618cefd6e4eb4eb4fc850ad2df45c14233024f0aa655e28649212aa42bf74499a91a682750748f75132aa18d1464cb84
-
Filesize
416B
MD5698fccd71b2579f0384d188d36bfed79
SHA15346b93d6c319f84e76de85d23702d91e5b5784a
SHA2562bb2d32877fce8b774a4445e67f59d14a4e38ff9e33a5d42bf98137ea9830b00
SHA5125594c7d2d505441da526fb7e3e327c7a6cd574ccef58e3aa241e072507038ecc90cb85d847df20b9819a881abbae17c2599a0b70b24e4b3cced323fe247104b7
-
Filesize
8KB
MD5e44628a2b8e2044ebb635eed3d5f79d9
SHA187120d6466ae60ea0df734c578f371c5c77acf3a
SHA2566742a87a0df8e620ff5314729c94cfaa738daf172220868cb748b09bb4e72ca4
SHA512ab1ec2ced331a14d60976338715cb9a09144b784d5c3fbcee139e85f843cab9aaa6627ae7a2f7f9d82cda5297fcc045e97385639397acb252bb18ebf315db37e
-
Filesize
5KB
MD575d6279af7fa9545ba7b7b01a85d2e12
SHA12fa39502b0aaa872712068747ff4f0800e955898
SHA256189a54410440caab60ed99dadf5fed2edcb0d36e5ed3e9a59be41026662bbc0e
SHA51226c21d6e68fef49d988d4e20da9df164760318087752d4d872275efdc0c667fc31426a916acb8eeb65a0acf20ce3bd3c8953bd34cd83cc46cf44c329469f2ae9
-
Filesize
526KB
MD5c4e65cee2c8eaf4a4c03852192f49156
SHA17c7b416d08056e2ecf215a6ce7126cf74ca3d87e
SHA25695b5415e32ec93a15a060b6e461151632764cc7693e9d3525e495aa3c9ae1fb0
SHA51259303381117ced1d99f67fbb10921e34f7ba066edb937ae6e27262941772a48fbe40b861a2954a1e40160b0661f1e2140377ee128ba9600715f6459b65c1bd72