Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/02/2025, 18:32

General

  • Target

    JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe

  • Size

    501KB

  • MD5

    ba23c58e9992ec772753fd2baeb984f8

  • SHA1

    e89ede03adb6dbab65e62efe5aa8d52cc97160fa

  • SHA256

    0b888923854d882c24fed6d113e02f866a3363f4b1779a47632ddf4c866a1492

  • SHA512

    14d678b3a1d98003ba31bcc3f3516831f82129c022a987af15c9c47af3c8bac4f611b7f8da721a2b14ee7bb327bb767a9ba94f1e2dfd276a6d8755235b42d33f

  • SSDEEP

    12288:QzQJshOkH5e2FbkGVaCb08U+KVCFQGZ5v0cba2pL:KGshpH5e2FbeCb08JKVCFQc5v0eL

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba23c58e9992ec772753fd2baeb984f8.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\SysWOW64\28463\RSXF.exe
      "C:\Windows\system32\28463\RSXF.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1220
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 1072
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:4244
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\RSXF.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3896
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjJCMDk2MUQtNTQzNy00QzI5LTk3OUEtNTQyQzZBNzhBQkZBfSIgdXNlcmlkPSJ7Q0QwOEEwNzUtNzQ2Qi00QkRGLUI4QzItRDYzRjYxNzQ0RDE0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NEMyMjFFMUMtOTBEQy00N0ZFLUI1MTQtMUMwNzQ4RkEwQjdCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0Nzk2NTM1ODA5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4212
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1220 -ip 1220
    1⤵
      PID:4692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\@9D2A.tmp

      Filesize

      4KB

      MD5

      102f90f4f42551b2acd64923065a2b56

      SHA1

      18bbbd1a10b603e05816f5a2baf9a6bed74346a3

      SHA256

      623f4b9a4910c8815d2ab19696668258ff2c30c3adac8967d616f7e60ec619fd

      SHA512

      2c8338799bcd64083dbe8b0e763424962dd024c52996bae590500b7d844595b539549b6c239f68f3866d5fda9db10808e8e9b489031a1e942bc34277f9a1d9d3

    • C:\Windows\SysWOW64\28463\AKV.exe

      Filesize

      411KB

      MD5

      38defc8742dcd7b684e5ae1193e7e668

      SHA1

      5710271eb398f63f0f0b209c46460ff9665df9bb

      SHA256

      b74a277270efc272bef1e264dc11289b7f13c651ac7640745df46bf6792c36d1

      SHA512

      46cc4b677af570905ac0c36b4e85030a618cefd6e4eb4eb4fc850ad2df45c14233024f0aa655e28649212aa42bf74499a91a682750748f75132aa18d1464cb84

    • C:\Windows\SysWOW64\28463\RSXF.001

      Filesize

      416B

      MD5

      698fccd71b2579f0384d188d36bfed79

      SHA1

      5346b93d6c319f84e76de85d23702d91e5b5784a

      SHA256

      2bb2d32877fce8b774a4445e67f59d14a4e38ff9e33a5d42bf98137ea9830b00

      SHA512

      5594c7d2d505441da526fb7e3e327c7a6cd574ccef58e3aa241e072507038ecc90cb85d847df20b9819a881abbae17c2599a0b70b24e4b3cced323fe247104b7

    • C:\Windows\SysWOW64\28463\RSXF.006

      Filesize

      8KB

      MD5

      e44628a2b8e2044ebb635eed3d5f79d9

      SHA1

      87120d6466ae60ea0df734c578f371c5c77acf3a

      SHA256

      6742a87a0df8e620ff5314729c94cfaa738daf172220868cb748b09bb4e72ca4

      SHA512

      ab1ec2ced331a14d60976338715cb9a09144b784d5c3fbcee139e85f843cab9aaa6627ae7a2f7f9d82cda5297fcc045e97385639397acb252bb18ebf315db37e

    • C:\Windows\SysWOW64\28463\RSXF.007

      Filesize

      5KB

      MD5

      75d6279af7fa9545ba7b7b01a85d2e12

      SHA1

      2fa39502b0aaa872712068747ff4f0800e955898

      SHA256

      189a54410440caab60ed99dadf5fed2edcb0d36e5ed3e9a59be41026662bbc0e

      SHA512

      26c21d6e68fef49d988d4e20da9df164760318087752d4d872275efdc0c667fc31426a916acb8eeb65a0acf20ce3bd3c8953bd34cd83cc46cf44c329469f2ae9

    • C:\Windows\SysWOW64\28463\RSXF.exe

      Filesize

      526KB

      MD5

      c4e65cee2c8eaf4a4c03852192f49156

      SHA1

      7c7b416d08056e2ecf215a6ce7126cf74ca3d87e

      SHA256

      95b5415e32ec93a15a060b6e461151632764cc7693e9d3525e495aa3c9ae1fb0

      SHA512

      59303381117ced1d99f67fbb10921e34f7ba066edb937ae6e27262941772a48fbe40b861a2954a1e40160b0661f1e2140377ee128ba9600715f6459b65c1bd72

    • memory/1220-24-0x0000000000A70000-0x0000000000A71000-memory.dmp

      Filesize

      4KB

    • memory/1220-28-0x0000000000A70000-0x0000000000A71000-memory.dmp

      Filesize

      4KB