Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/02/2025, 00:35

General

  • Target

    JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe

  • Size

    516KB

  • MD5

    bd1e1ec1138bdb66d29bfcb35f3b2923

  • SHA1

    ddbd37ecf5d3e81aebed73b25ff79b1360f98b95

  • SHA256

    c4ac6b82206d28c2666fb593b476cf6e076c5c9cfd341c6e3e7af5e4724536d3

  • SHA512

    dfed6872a77e160b98459c0a7f762081f03a70d7e97d4a7d7d76a477350966e33182663bb0ff39b33d6a8f652fbad6036e53084e86c901d46c99ffa1d268cb0e

  • SSDEEP

    12288:UZEcfpzo7sVvcd5a8EeKe+7E7Eic2F+yZNbBjV31+vk2F6zOW:Jcl0575Ke+oJeyZ3jV3Mk2yb

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Windows\SysWOW64\28463\SVPY.exe
      "C:\Windows\system32\28463\SVPY.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4076
    • C:\Users\Admin\AppData\Local\Temp\Chezy's Auto-Talker Installer.exe
      "C:\Users\Admin\AppData\Local\Temp\Chezy's Auto-Talker Installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2836
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzZBNEU2QzctQzg3MS00RjYxLTg5OTUtMjgxNTU5QjExNDA4fSIgdXNlcmlkPSJ7QjgzQjJCQjItMjkwRi00RDIxLUJEM0EtOEUxODE1M0E2OTREfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzM3N0VDMUUtRkFCNC00MUU1LUI5N0MtQkU2N0VCOTlGODgzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDE3ODc3MTAyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:2080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@A0E3.tmp

    Filesize

    4KB

    MD5

    a33680859a24229dc931c0e8a82ae84a

    SHA1

    dff1e7e7160ffbfaae221cd3a85de40722fddde6

    SHA256

    d5913b88289154f5979c03325b29f00d1d8c6a1e5f6195df915d96a46d0f71f3

    SHA512

    a419214699ab3478926fbb7f621a616e192eae22db20e72c83a4b529ba5307ab4dc906e0b1286bc4e4cb13ba1e28fb93fa4918c3ff7345273197e39c206c10bf

  • C:\Users\Admin\AppData\Local\Temp\Chezy's Auto-Talker Installer.exe

    Filesize

    56KB

    MD5

    9a020982c87513be9e8b53967418de3c

    SHA1

    a764b34437ecc58536e0e586bf83cdc34816bcd4

    SHA256

    f46fbaadfa8922e3b92a4dbedec01a7280845e47075dd8d012d79ba8902e36fe

    SHA512

    bf22f97b4f42112e1bfc0da827b21dec0bf5b991bde7699e642a6908183a1193222f182fe24c35cea66d9dc49e4050ef37f3ef66856f7732410a116fd58c1045

  • C:\Windows\SysWOW64\28463\AKV.exe

    Filesize

    393KB

    MD5

    1e13f68fd4258a545d262c77e38c76cd

    SHA1

    b8f6710c83e52ad354d8763a1b51293ee5758956

    SHA256

    d7785409d6e2512d9d907670f79b313192a85138707c6ca0cc59a71f8fd6a247

    SHA512

    938880407818a1489ecb9911cf05d4c9b69ecb2e0f908c3d3b8ba87b8c437ae16916e46bdf780bba24c38ad2c3981a5dcd4d3acd8ea227ac4dced12f1ca21eb3

  • C:\Windows\SysWOW64\28463\SVPY.001

    Filesize

    420B

    MD5

    7537439637b9d6663669871d33f9bae8

    SHA1

    606670aef84ab17dc3afc93c1f6810a804f43b3d

    SHA256

    c97c0b2d5473a39b8937f2707faa7ea874360f73822fddc7c252a5d90cd272bd

    SHA512

    5a450683602885e0fc62bcbe6fa0d3281f7244d63bf4479fd2509e4392413d4ecd400529696176af563af8b39fbbb51081913fdc40ff3f30f17b11a5e8db1dfb

  • C:\Windows\SysWOW64\28463\SVPY.006

    Filesize

    7KB

    MD5

    46e0f5831dfe24c3105ef20190c5f0d7

    SHA1

    dbd701062695f9df971bffc1fa433eb18ef61727

    SHA256

    d7c7932d10e19ebde38c50583b4f5a0215a0ac88a2b131ea1b2a97824af759f9

    SHA512

    3dbe9e90f989ae3939d304f9f7822c3886e2d76ef575162e6a0518b61f5a52fcd8d0c63e06bbcf920c6f8298cb918ef5f3c0b92d42e99fa3eaabd787fc686a61

  • C:\Windows\SysWOW64\28463\SVPY.007

    Filesize

    5KB

    MD5

    70c68ec7e4e7f18abf35d47976a47f0f

    SHA1

    f1263f67e712760e055833d3030ed4583611ad6f

    SHA256

    cb8664787c631611643518ca2853f10ba9d460c25e476f55fb1b9f79838801fb

    SHA512

    80cad83643c9c83be70809eebb4b662f58a323cbd5f1bfbc328722fbfa16f1a846f9ef159552a066850f12157cb7388d6ab37ea6f4e7563fff7cc26258b77a81

  • C:\Windows\SysWOW64\28463\SVPY.exe

    Filesize

    471KB

    MD5

    328ef8c28309203cfbe5655274d5ea48

    SHA1

    403399787e94f7d4e3c8e237e25399263e9f4047

    SHA256

    0f92918405d195ce10b0c897f07a73493d06e9e49505371a525d50cea75213bb

    SHA512

    93dde6ab2d06af2d09b7f52619f2f475912152bbfd4b4ff93796eeffe7363f0ee777f4a46edb808039466fe0f82036dc291a378d4a8c6e407f0e1d4f3f6ea40a

  • memory/4076-34-0x0000000000930000-0x0000000000931000-memory.dmp

    Filesize

    4KB

  • memory/4076-42-0x0000000000930000-0x0000000000931000-memory.dmp

    Filesize

    4KB