Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2025, 00:35
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe
Resource
win10v2004-20250207-en
General
-
Target
JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe
-
Size
516KB
-
MD5
bd1e1ec1138bdb66d29bfcb35f3b2923
-
SHA1
ddbd37ecf5d3e81aebed73b25ff79b1360f98b95
-
SHA256
c4ac6b82206d28c2666fb593b476cf6e076c5c9cfd341c6e3e7af5e4724536d3
-
SHA512
dfed6872a77e160b98459c0a7f762081f03a70d7e97d4a7d7d76a477350966e33182663bb0ff39b33d6a8f652fbad6036e53084e86c901d46c99ffa1d268cb0e
-
SSDEEP
12288:UZEcfpzo7sVvcd5a8EeKe+7E7Eic2F+yZNbBjV31+vk2F6zOW:Jcl0575Ke+oJeyZ3jV3Mk2yb
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x000e000000023d51-12.dat family_ardamax -
Downloads MZ/PE file 1 IoCs
flow pid Process 27 412 Process not Found -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe -
Executes dropped EXE 2 IoCs
pid Process 4076 SVPY.exe 2836 Chezy's Auto-Talker Installer.exe -
Loads dropped DLL 5 IoCs
pid Process 4036 JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe 4076 SVPY.exe 4076 SVPY.exe 4076 SVPY.exe 2836 Chezy's Auto-Talker Installer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SVPY Agent = "C:\\Windows\\SysWOW64\\28463\\SVPY.exe" SVPY.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\28463\SVPY.001 JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe File created C:\Windows\SysWOW64\28463\SVPY.006 JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe File created C:\Windows\SysWOW64\28463\SVPY.007 JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe File created C:\Windows\SysWOW64\28463\SVPY.exe JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe File created C:\Windows\SysWOW64\28463\AKV.exe JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe File opened for modification C:\Windows\SysWOW64\28463 SVPY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chezy's Auto-Talker Installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SVPY.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2080 MicrosoftEdgeUpdate.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4076 SVPY.exe Token: SeIncBasePriorityPrivilege 4076 SVPY.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2836 Chezy's Auto-Talker Installer.exe 2836 Chezy's Auto-Talker Installer.exe 4076 SVPY.exe 4076 SVPY.exe 4076 SVPY.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4036 wrote to memory of 4076 4036 JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe 87 PID 4036 wrote to memory of 4076 4036 JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe 87 PID 4036 wrote to memory of 4076 4036 JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe 87 PID 4036 wrote to memory of 2836 4036 JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe 88 PID 4036 wrote to memory of 2836 4036 JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe 88 PID 4036 wrote to memory of 2836 4036 JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd1e1ec1138bdb66d29bfcb35f3b2923.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\28463\SVPY.exe"C:\Windows\system32\28463\SVPY.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4076
-
-
C:\Users\Admin\AppData\Local\Temp\Chezy's Auto-Talker Installer.exe"C:\Users\Admin\AppData\Local\Temp\Chezy's Auto-Talker Installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2836
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzZBNEU2QzctQzg3MS00RjYxLTg5OTUtMjgxNTU5QjExNDA4fSIgdXNlcmlkPSJ7QjgzQjJCQjItMjkwRi00RDIxLUJEM0EtOEUxODE1M0E2OTREfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzM3N0VDMUUtRkFCNC00MUU1LUI5N0MtQkU2N0VCOTlGODgzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDE3ODc3MTAyIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2080
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5a33680859a24229dc931c0e8a82ae84a
SHA1dff1e7e7160ffbfaae221cd3a85de40722fddde6
SHA256d5913b88289154f5979c03325b29f00d1d8c6a1e5f6195df915d96a46d0f71f3
SHA512a419214699ab3478926fbb7f621a616e192eae22db20e72c83a4b529ba5307ab4dc906e0b1286bc4e4cb13ba1e28fb93fa4918c3ff7345273197e39c206c10bf
-
Filesize
56KB
MD59a020982c87513be9e8b53967418de3c
SHA1a764b34437ecc58536e0e586bf83cdc34816bcd4
SHA256f46fbaadfa8922e3b92a4dbedec01a7280845e47075dd8d012d79ba8902e36fe
SHA512bf22f97b4f42112e1bfc0da827b21dec0bf5b991bde7699e642a6908183a1193222f182fe24c35cea66d9dc49e4050ef37f3ef66856f7732410a116fd58c1045
-
Filesize
393KB
MD51e13f68fd4258a545d262c77e38c76cd
SHA1b8f6710c83e52ad354d8763a1b51293ee5758956
SHA256d7785409d6e2512d9d907670f79b313192a85138707c6ca0cc59a71f8fd6a247
SHA512938880407818a1489ecb9911cf05d4c9b69ecb2e0f908c3d3b8ba87b8c437ae16916e46bdf780bba24c38ad2c3981a5dcd4d3acd8ea227ac4dced12f1ca21eb3
-
Filesize
420B
MD57537439637b9d6663669871d33f9bae8
SHA1606670aef84ab17dc3afc93c1f6810a804f43b3d
SHA256c97c0b2d5473a39b8937f2707faa7ea874360f73822fddc7c252a5d90cd272bd
SHA5125a450683602885e0fc62bcbe6fa0d3281f7244d63bf4479fd2509e4392413d4ecd400529696176af563af8b39fbbb51081913fdc40ff3f30f17b11a5e8db1dfb
-
Filesize
7KB
MD546e0f5831dfe24c3105ef20190c5f0d7
SHA1dbd701062695f9df971bffc1fa433eb18ef61727
SHA256d7c7932d10e19ebde38c50583b4f5a0215a0ac88a2b131ea1b2a97824af759f9
SHA5123dbe9e90f989ae3939d304f9f7822c3886e2d76ef575162e6a0518b61f5a52fcd8d0c63e06bbcf920c6f8298cb918ef5f3c0b92d42e99fa3eaabd787fc686a61
-
Filesize
5KB
MD570c68ec7e4e7f18abf35d47976a47f0f
SHA1f1263f67e712760e055833d3030ed4583611ad6f
SHA256cb8664787c631611643518ca2853f10ba9d460c25e476f55fb1b9f79838801fb
SHA51280cad83643c9c83be70809eebb4b662f58a323cbd5f1bfbc328722fbfa16f1a846f9ef159552a066850f12157cb7388d6ab37ea6f4e7563fff7cc26258b77a81
-
Filesize
471KB
MD5328ef8c28309203cfbe5655274d5ea48
SHA1403399787e94f7d4e3c8e237e25399263e9f4047
SHA2560f92918405d195ce10b0c897f07a73493d06e9e49505371a525d50cea75213bb
SHA51293dde6ab2d06af2d09b7f52619f2f475912152bbfd4b4ff93796eeffe7363f0ee777f4a46edb808039466fe0f82036dc291a378d4a8c6e407f0e1d4f3f6ea40a