Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/02/2025, 00:18

General

  • Target

    JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe

  • Size

    175KB

  • MD5

    d53e78fe3cddbaaad3ecf367ef3b43eb

  • SHA1

    905021038017709e4284f31f3800038cbd7e0f24

  • SHA256

    af767d080a74637105d7c56a724c665f6a15c3d29fa9f4792ba6a8681c4e3398

  • SHA512

    ddc2381a9a1f54a829705150603c15fc3377bc7aa41e71b3973186afe923416ed9dad296e0538776b016054d3a8a35e1c90c4df87aa7cb9ad0a5aee47e8812c8

  • SSDEEP

    3072:OO6QmEGX0JFD4nQsh1r+EVFGYt6GXiv1ystW2ei+jw2NbCnt6kRWwg9tdRRvjjSS:RGXS4nQM+EjGIXZstyi0VCnbReJRJSBc

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d53e78fe3cddbaaad3ecf367ef3b43eb.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4884
    • C:\Windows\SysWOW64\NSK.exe
      "C:\Windows\system32\NSK.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:64
    • C:\Users\Admin\AppData\Local\Temp\mircex.exe
      "C:\Users\Admin\AppData\Local\Temp\mircex.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3376
      • C:\Windows\notepad.exe
        "C:\Windows\notepad.exe" C:\Program Files (x86)\Winamp\Plugins\\ircex-readme.txt
        3⤵
          PID:1728
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEFCQ0FDRDctNjQxNC00ODM1LUEyN0EtMUIzOUFEMzQ4NEUxfSIgdXNlcmlkPSJ7MEQyOTQ2REEtRjY3NS00RjlGLTg1RDYtMkMwOEU4NzlFNTlDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTAwQTIyNzUtRkMzMy00NjkwLUIwQTctMENCOEExN0Y3QjQ5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ5MjgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNzQzMjM4OTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTczNDgxODA4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:1688

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Winamp\Plugins\ircex-readme.txt

      Filesize

      2KB

      MD5

      7c4e4ed4e787b53023ec2efa6be264e6

      SHA1

      7cf456e062eed320dafb545c6e85f391f7862649

      SHA256

      bbebffedc4187980721fabbf3b6b6b050998d87ef5035d1bc6a8ac086fc19243

      SHA512

      0027caa3271b6080448ec8204c2c3e37a62f0e106045f31644c8dc5be3ac6a13fec9b4c4eec1fb9408a5f7cdaf0f19240bf21ab4d69138ccb775279b933fa51a

    • C:\Users\Admin\AppData\Local\Temp\@A76B.tmp

      Filesize

      4KB

      MD5

      ccfd350414f3804bbb32ddd7eb3f6153

      SHA1

      e91d270b8481d456a3beabf617ef3379a93f1137

      SHA256

      1dabedfe9c7cda2d8aa74c95ba57fb832a4066b20f4051c0330b4422de237eb3

      SHA512

      328e069aaced9217eb9f4b4f20e27cd7ef933427e3388b3a0829089d694ea2280a2e5511a9eb577cec2a7b409cf367b0f17d8654076931648e152936fad810bd

    • C:\Users\Admin\AppData\Local\Temp\mircex.exe

      Filesize

      51KB

      MD5

      40d9bfda1019eee29733fb6e0ac88a1f

      SHA1

      c6f37298115f7d3bb780a0717c9383722db5f30e

      SHA256

      1debeaa110534a3330a4b6461e292578b631cac2ba3f3c79e8c8b6f990fbf68c

      SHA512

      fc599e53dddb68a65b7cabf8d84afb3669a3b0f43fa4bcb444847892e505ad6645121fd456249755593cd0672f73953afbe6dcdbd7983cba792001911e2eacb7

    • C:\Windows\SysWOW64\NSK.001

      Filesize

      1KB

      MD5

      ee51e44a66b8b05c5fbf06984dc460f6

      SHA1

      41124b42a9c76f4e11b309379b5c1c0fb3ba02af

      SHA256

      b3bb8a3042579c6737f2cfac5f5507dc2d5b02c0f5e6044f097148f6733320a1

      SHA512

      60b43e0230b116064964d3c5a7b8606802ef4aa3ab3725f0504fb6fee08f72ff1bee199f8963f42ba49e664e856204e5e92f694db8192369a79202a555acb4fc

    • C:\Windows\SysWOW64\NSK.006

      Filesize

      4KB

      MD5

      0868167c8915fb3d87d4e5a775a57ffd

      SHA1

      5f223134e003382fd8c191a1f4ca94922f1d802e

      SHA256

      6a28449ee15745e772f877b6133913325400a2ca3dbf829d76cf42e0c8d6da4c

      SHA512

      d9f82239d6990b3dcc261f99f5acf20d71965b08146821575f830698fa07a5ec7ba0553494bb779e427692ada39ed5973489d1077aeec5ddfdf5a73d9c91b058

    • C:\Windows\SysWOW64\NSK.007

      Filesize

      6KB

      MD5

      5e023770dfb9d9068706facc958c7d66

      SHA1

      9cf95074a78239da000452362c2167991970e972

      SHA256

      f16ca7e5533eb28fa882eb500add2a936f8d0a705cfc9f4e6c8f4c522a2cf6db

      SHA512

      a9621e77fe22b054686924cebee3c9a5c448b2f60bd1d4c8a6d6bda161ec270d9a5c76cbe07dcd1d0ee59fdc071de1d271344c629181e14c2c0a54cbac7831af

    • C:\Windows\SysWOW64\NSK.exe

      Filesize

      239KB

      MD5

      2bada91f44e2a5133a5c056b31866112

      SHA1

      9fbe664832d04d79f96fa090191b73d9811ef08d

      SHA256

      c742feab59b4e1b7b188b02ed91ab34eaeb83c87ac6babfb5f08649ed2b8cd02

      SHA512

      dc797a06061937f8dd657a34d4373d3069c9c1a6752752516042e5d135fc41257c7a3a6738b3accd626a02f1887476197eca0ab28cf568daf57269cbe9c8eb41