Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/02/2025, 05:40
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe
Resource
win10v2004-20250207-en
General
-
Target
JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe
-
Size
1.5MB
-
MD5
cbce3751d9279bbd3b234cace96d988e
-
SHA1
5416aa8f163bbe6b07f5b340fa6d0c1057a15ac9
-
SHA256
576a29bba2fb680a9f55458b9da9afcb44625852cd885e413213ffd9ac88279e
-
SHA512
cc7506a61d07ec24c7a175c8f6417ca399ae346134eb2fce18a1a2bada1f08c84f85211fd3f0010d77ae57065e3195d84416c3ceb272fcdb4199acf51b8cc785
-
SSDEEP
24576:2wAUat/MkChkpz5RfIAjN2EBcMVh68z94iCHXOWpTpBn0OZpuJsM7/hbYv/:EUataKzRXszio8zk+Wd0OZpa9t0
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x00050000000197fd-622.dat family_ardamax -
Executes dropped EXE 3 IoCs
pid Process 2312 Install.exe 3044 HQR.exe 1892 cmd.exe -
Loads dropped DLL 8 IoCs
pid Process 1688 JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe 2312 Install.exe 2312 Install.exe 3044 HQR.exe 3044 HQR.exe 3044 HQR.exe 3044 HQR.exe 3044 HQR.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HQR Start = "C:\\Windows\\SysWOW64\\KKDMJT\\HQR.exe" HQR.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\KKDMJT\AKV.exe Install.exe File created C:\Windows\SysWOW64\KKDMJT\HQR.exe Install.exe File opened for modification C:\Windows\SysWOW64\KKDMJT\ HQR.exe File created C:\Windows\SysWOW64\KKDMJT\HQR.004 Install.exe File created C:\Windows\SysWOW64\KKDMJT\HQR.001 Install.exe File created C:\Windows\SysWOW64\KKDMJT\HQR.002 Install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HQR.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: 33 1688 JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe Token: SeIncBasePriorityPrivilege 1688 JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe Token: 33 1688 JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe Token: SeIncBasePriorityPrivilege 1688 JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe Token: 33 1688 JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe Token: SeIncBasePriorityPrivilege 1688 JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe Token: 33 2312 Install.exe Token: SeIncBasePriorityPrivilege 2312 Install.exe Token: 33 3044 HQR.exe Token: SeIncBasePriorityPrivilege 3044 HQR.exe Token: SeIncBasePriorityPrivilege 3044 HQR.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3044 HQR.exe 3044 HQR.exe 3044 HQR.exe 3044 HQR.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2312 1688 JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe 30 PID 1688 wrote to memory of 2312 1688 JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe 30 PID 1688 wrote to memory of 2312 1688 JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe 30 PID 1688 wrote to memory of 2312 1688 JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe 30 PID 1688 wrote to memory of 2312 1688 JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe 30 PID 1688 wrote to memory of 2312 1688 JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe 30 PID 1688 wrote to memory of 2312 1688 JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe 30 PID 2312 wrote to memory of 3044 2312 Install.exe 32 PID 2312 wrote to memory of 3044 2312 Install.exe 32 PID 2312 wrote to memory of 3044 2312 Install.exe 32 PID 2312 wrote to memory of 3044 2312 Install.exe 32 PID 2312 wrote to memory of 3044 2312 Install.exe 32 PID 2312 wrote to memory of 3044 2312 Install.exe 32 PID 2312 wrote to memory of 3044 2312 Install.exe 32 PID 3044 wrote to memory of 1892 3044 HQR.exe 33 PID 3044 wrote to memory of 1892 3044 HQR.exe 33 PID 3044 wrote to memory of 1892 3044 HQR.exe 33 PID 3044 wrote to memory of 1892 3044 HQR.exe 33 PID 3044 wrote to memory of 1892 3044 HQR.exe 33 PID 3044 wrote to memory of 1892 3044 HQR.exe 33 PID 3044 wrote to memory of 1892 3044 HQR.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cbce3751d9279bbd3b234cace96d988e.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\scanner tools\20.1.11.06\2012.02.21T20.55\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\scanner tools\20.1.11.06\2012.02.21T20.55\Native\STUBEXE\@SYSTEM@\KKDMJT\HQR.exe"C:\Windows\system32\KKDMJT\HQR.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Xenocode\Sandbox\scanner tools\20.1.11.06\2012.02.21T20.55\Native\STUBEXE\@SYSTEM@\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\KKDMJT\HQR.exe > nul4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1892
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD551507d91d43683b9c4b8fafeb4d888f8
SHA1ead2f68338da7af4720378cd46133589fc9405ba
SHA25671b3aecefd36e4855a369019ac5871c544d39f8889d23cd455466a24cdecce6b
SHA512a5a7ff3f8ffb72719b7e2c9dc2719c99ea32bd68994918ea027c0d7d54cfe0c80bfd34486dd8d3cdd390376bc4c8d1f7d97de4b98b7d39a3e10c3e2682c07d1c
-
Filesize
61KB
MD5383d5f5d4240d590e7dec3f7312a4ac7
SHA1f6bcade8d37afb80cf52a89b3e84683f4643fbce
SHA2567e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422
SHA512e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a
-
Filesize
43KB
MD593df156c4bd9d7341f4c4a4847616a69
SHA1c7663b32c3c8e247bc16b51aff87b45484652dc1
SHA256e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e
SHA512ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35
-
Filesize
1KB
MD5205baf7c5112ed4fe461db1192abda5c
SHA1331149121e2d9a33590f6a8ac45d31143b65b471
SHA256340aad9a28b13b728b2aaf1d674aed06d911e808781680a67d5328af80c6e528
SHA51200e46aa0ce9cc252039d35f1b0fd6499e9bac03a8d59b153d74b27ae3593d360096caf0dbb9c21a531d9a27a7ac8141c91ab884d8ee7d690d6e9a4713c777502
-
Filesize
1.7MB
MD53cd29c0df98a7aeb69a9692843ca3edb
SHA17c86aea093f1979d18901bd1b89a2b02a60ac3e2
SHA2565a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32
SHA512e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\scanner tools\20.1.11.06\2012.02.21T20.55\Native\STUBEXE\@SYSTEM@\KKDMJT\HQR.exe
Filesize17KB
MD53c69601eda703669caf6e866408f02ca
SHA16c7a9efe6ce4b5ecba79bc52a51ea8feb3a4aacb
SHA256036ae1db34e1964ca5745e3d9bf2028ace023a63362164c6eae3219f0ab5d52b
SHA512fdd3dcfce298b012b0a8264b6935eb0cf1afdb483ad7479dae0ba658084ed22f7405b8d5812bb7db10a211d6885dd287ccb1752875adb0235c6763a6d5fd092c
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\scanner tools\20.1.11.06\2012.02.21T20.55\Native\STUBEXE\@SYSTEM@\cmd.exe
Filesize17KB
MD5a6bb1229030921e98aade90362b8e36b
SHA17944ee4dc63d7e1b9be245c2d6f1877c27747788
SHA2568f2342ddb9d971ae938690ca621e25a74cf82eeb1a6c05eef3159e3092f3d2b0
SHA5123dc54461117cbb9f2735559a1d823cd72b769956829bccd8e824c9035a84735213b2e68a4269f1604cc4f5f4e59520a9db9be289ffd69fd1b96b916fe7c6dcda
-
\Users\Admin\AppData\Local\Xenocode\Sandbox\scanner tools\20.1.11.06\2012.02.21T20.55\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Install.exe
Filesize17KB
MD57a9399e5def89e4aae14ea7f39df5635
SHA16201990ce65b4252435c6ba4e137a998dba929d5
SHA2564a9486d589126b9c5080ce69c0adbf6ae96c6641bc100630c8656eec7e26a545
SHA5122d0b724cbdf6deb4d9dc4016a31b547e03140f28faf3ea0360fabb3012bc7216af7197fb3ffaa37b2ae981f626bad37d39098bb31f9d3dc8f91aa884790d0456