Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
10/02/2025, 00:18
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
-
Size
175KB
-
MD5
d53e78fe3cddbaaad3ecf367ef3b43eb
-
SHA1
905021038017709e4284f31f3800038cbd7e0f24
-
SHA256
af767d080a74637105d7c56a724c665f6a15c3d29fa9f4792ba6a8681c4e3398
-
SHA512
ddc2381a9a1f54a829705150603c15fc3377bc7aa41e71b3973186afe923416ed9dad296e0538776b016054d3a8a35e1c90c4df87aa7cb9ad0a5aee47e8812c8
-
SSDEEP
3072:OO6QmEGX0JFD4nQsh1r+EVFGYt6GXiv1ystW2ei+jw2NbCnt6kRWwg9tdRRvjjSS:RGXS4nQM+EjGIXZstyi0VCnbReJRJSBc
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023ddf-12.dat family_ardamax -
Downloads MZ/PE file 1 IoCs
flow pid Process 53 1784 Process not Found -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1290774215-692483676-1419523182-1000\Control Panel\International\Geo\Nation JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe -
Executes dropped EXE 2 IoCs
pid Process 64 NSK.exe 3376 mircex.exe -
Loads dropped DLL 5 IoCs
pid Process 4884 JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe 64 NSK.exe 64 NSK.exe 64 NSK.exe 3376 mircex.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\NSK.007 JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe File created C:\Windows\SysWOW64\NSK.exe JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe File created C:\Windows\SysWOW64\NSK.001 JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe File created C:\Windows\SysWOW64\NSK.006 JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Winamp\Plugins\gen_ircex.dll mircex.exe File created C:\Program Files (x86)\Winamp\Plugins\ircex-readme.txt mircex.exe File created C:\Program Files (x86)\Winamp\Plugins\gpl.txt mircex.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64 NSK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NSK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mircex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1688 MicrosoftEdgeUpdate.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 64 NSK.exe Token: SeIncBasePriorityPrivilege 64 NSK.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 64 NSK.exe 64 NSK.exe 64 NSK.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4884 wrote to memory of 64 4884 JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe 86 PID 4884 wrote to memory of 64 4884 JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe 86 PID 4884 wrote to memory of 64 4884 JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe 86 PID 4884 wrote to memory of 3376 4884 JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe 88 PID 4884 wrote to memory of 3376 4884 JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe 88 PID 4884 wrote to memory of 3376 4884 JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe 88 PID 3376 wrote to memory of 1728 3376 mircex.exe 91 PID 3376 wrote to memory of 1728 3376 mircex.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\NSK.exe"C:\Windows\system32\NSK.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:64
-
-
C:\Users\Admin\AppData\Local\Temp\mircex.exe"C:\Users\Admin\AppData\Local\Temp\mircex.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\notepad.exe"C:\Windows\notepad.exe" C:\Program Files (x86)\Winamp\Plugins\\ircex-readme.txt3⤵PID:1728
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEFCQ0FDRDctNjQxNC00ODM1LUEyN0EtMUIzOUFEMzQ4NEUxfSIgdXNlcmlkPSJ7MEQyOTQ2REEtRjY3NS00RjlGLTg1RDYtMkMwOEU4NzlFNTlDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTAwQTIyNzUtRkMzMy00NjkwLUIwQTctMENCOEExN0Y3QjQ5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ5MjgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNzQzMjM4OTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTczNDgxODA4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57c4e4ed4e787b53023ec2efa6be264e6
SHA17cf456e062eed320dafb545c6e85f391f7862649
SHA256bbebffedc4187980721fabbf3b6b6b050998d87ef5035d1bc6a8ac086fc19243
SHA5120027caa3271b6080448ec8204c2c3e37a62f0e106045f31644c8dc5be3ac6a13fec9b4c4eec1fb9408a5f7cdaf0f19240bf21ab4d69138ccb775279b933fa51a
-
Filesize
4KB
MD5ccfd350414f3804bbb32ddd7eb3f6153
SHA1e91d270b8481d456a3beabf617ef3379a93f1137
SHA2561dabedfe9c7cda2d8aa74c95ba57fb832a4066b20f4051c0330b4422de237eb3
SHA512328e069aaced9217eb9f4b4f20e27cd7ef933427e3388b3a0829089d694ea2280a2e5511a9eb577cec2a7b409cf367b0f17d8654076931648e152936fad810bd
-
Filesize
51KB
MD540d9bfda1019eee29733fb6e0ac88a1f
SHA1c6f37298115f7d3bb780a0717c9383722db5f30e
SHA2561debeaa110534a3330a4b6461e292578b631cac2ba3f3c79e8c8b6f990fbf68c
SHA512fc599e53dddb68a65b7cabf8d84afb3669a3b0f43fa4bcb444847892e505ad6645121fd456249755593cd0672f73953afbe6dcdbd7983cba792001911e2eacb7
-
Filesize
1KB
MD5ee51e44a66b8b05c5fbf06984dc460f6
SHA141124b42a9c76f4e11b309379b5c1c0fb3ba02af
SHA256b3bb8a3042579c6737f2cfac5f5507dc2d5b02c0f5e6044f097148f6733320a1
SHA51260b43e0230b116064964d3c5a7b8606802ef4aa3ab3725f0504fb6fee08f72ff1bee199f8963f42ba49e664e856204e5e92f694db8192369a79202a555acb4fc
-
Filesize
4KB
MD50868167c8915fb3d87d4e5a775a57ffd
SHA15f223134e003382fd8c191a1f4ca94922f1d802e
SHA2566a28449ee15745e772f877b6133913325400a2ca3dbf829d76cf42e0c8d6da4c
SHA512d9f82239d6990b3dcc261f99f5acf20d71965b08146821575f830698fa07a5ec7ba0553494bb779e427692ada39ed5973489d1077aeec5ddfdf5a73d9c91b058
-
Filesize
6KB
MD55e023770dfb9d9068706facc958c7d66
SHA19cf95074a78239da000452362c2167991970e972
SHA256f16ca7e5533eb28fa882eb500add2a936f8d0a705cfc9f4e6c8f4c522a2cf6db
SHA512a9621e77fe22b054686924cebee3c9a5c448b2f60bd1d4c8a6d6bda161ec270d9a5c76cbe07dcd1d0ee59fdc071de1d271344c629181e14c2c0a54cbac7831af
-
Filesize
239KB
MD52bada91f44e2a5133a5c056b31866112
SHA19fbe664832d04d79f96fa090191b73d9811ef08d
SHA256c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02
SHA512dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41