Analysis
-
max time kernel
134s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 22:17
Static task
static1
Behavioral task
behavioral1
Sample
692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe
-
Size
3.2MB
-
MD5
692a17f0316e72f95c2865d2e3a75da5
-
SHA1
b640153939a78eded04125012200ccbc18182161
-
SHA256
df0cf224c5d36aa12ea0c993aceef953765fcd64148fa2b26f3a4bb70280552e
-
SHA512
d23a45cad8bb803a3770943b5cd0f62dcdbd81a217a52fec5a24d3ac594e51323b0c1c2c8ec9c5b16f4b224ffe27b8026c986d42e999b4089e5a8cb5eb5aadad
-
SSDEEP
49152:xGrT1Sk3NAbC1uMWawyxzLaSbgK9dROBvK1sInRhaV1d1N0AsJp+EIzZSj:xmSk3mu1ozy9rgKruwzO1+AsJoz6
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\YUPIRK\FOE.exe family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
FOE.exemsnmsgr.exepid process 3532 FOE.exe 2148 msnmsgr.exe -
Loads dropped DLL 1 IoCs
Processes:
FOE.exepid process 3532 FOE.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
FOE.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FOE Start = "C:\\Windows\\SysWOW64\\YUPIRK\\FOE.exe" FOE.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
Processes:
FOE.exe692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\YUPIRK\ FOE.exe File created C:\Windows\SysWOW64\YUPIRK\FOE.004 692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe File created C:\Windows\SysWOW64\YUPIRK\FOE.001 692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe File created C:\Windows\SysWOW64\YUPIRK\FOE.002 692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe File created C:\Windows\SysWOW64\YUPIRK\FOE.exe 692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exeFOE.exemsnmsgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FOE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msnmsgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
FOE.exedescription pid process Token: 33 3532 FOE.exe Token: SeIncBasePriorityPrivilege 3532 FOE.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
FOE.exepid process 3532 FOE.exe 3532 FOE.exe 3532 FOE.exe 3532 FOE.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exedescription pid process target process PID 3624 wrote to memory of 3532 3624 692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe FOE.exe PID 3624 wrote to memory of 3532 3624 692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe FOE.exe PID 3624 wrote to memory of 3532 3624 692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe FOE.exe PID 3624 wrote to memory of 2148 3624 692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe msnmsgr.exe PID 3624 wrote to memory of 2148 3624 692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe msnmsgr.exe PID 3624 wrote to memory of 2148 3624 692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe msnmsgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\YUPIRK\FOE.exe"C:\Windows\system32\YUPIRK\FOE.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe"C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD5fdec512cb8752174649d3a513893938a
SHA19abd77cbe226d820997af6dc47d3e71b2fe3d254
SHA256d5048027c7530d6b7f0c9dd7436f755fa328d4819fca9a1b95fcc8af906096b2
SHA5121258301b2f3e9e7a19c92644cfad73b7db57a35277497315f78603d7ecf1c01e43beeeee6a01f7f23044e360935537369993426a3d4249261a79bec662171cfa
-
Filesize
60KB
MD55b79ad0d1d30119158b5ab4147edbd96
SHA16f802d57d49d7063e40b7bebafa8fb1051e0a907
SHA2564ccebd38ac000cbc33a6cfc2e87e900ef64ba4b978f3facfdb5870e217ac3ff7
SHA512497e3eff3c7356cf12efd153b651d1a1ef2cb07302eb5b71dcff0d6732e5273bcff5f82897dff85cdaae0bc159fa9c4588e3bc90ab12521532675bf116757c6b
-
Filesize
43KB
MD5af3efaa90f29f6506693136ae1674fc7
SHA1897aea8f6df7e29d43954512fc390b97c0eb4550
SHA2564658d92f74df5ee142c08157985e25e41f74aaaa4256df9dfc9a011b7c3f0f44
SHA5121a87ce2d0767204b1d636ce70c083c71f5cfa064680218906ff86c233968baca7ef605f2b1d9bfaf8326a8cbff7074ace766604b283c1a2b50d5788038dc9863
-
Filesize
1KB
MD5464347ea2485f7510c1c127cf6cebf2f
SHA18d31e5f1b2a4b912cd3a9facd34ee0d51d089dcb
SHA256e2d69466e60ab756962c932744fabdd5f8323a958747e59de576cb4c92554797
SHA5122c200554ed3c0c9a8ef1dd3385f7f44a661d98d0f3fd5d43d64a6e38d43e70cc49ac698b2087e4ede3403b7547489d124dc86d6057303a6b6c5a75572b0320ac
-
Filesize
1.7MB
MD578dd492b06d03744d1954781d33775ca
SHA1ef9462193e6ba7be64458ea1be6afcaeadc574b1
SHA256c0664f94e9b2a7817f79b9457c31e524ef72ed7c073e79546d67e857b4637ede
SHA512f88734970018f46b8c4ce350cccf577ac056957e933deb493becbc30b7165834ca68db423850220f8944b364dc97e1423247192faf4f3e4db85cf25c4576eef9