Malware Analysis Report

2024-10-18 23:06

Sample ID 240723-17gnqssajp
Target 692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118
SHA256 df0cf224c5d36aa12ea0c993aceef953765fcd64148fa2b26f3a4bb70280552e
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df0cf224c5d36aa12ea0c993aceef953765fcd64148fa2b26f3a4bb70280552e

Threat Level: Known bad

The file 692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 22:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 22:17

Reported

2024-07-23 22:19

Platform

win7-20240704-en

Max time kernel

121s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FOE Start = "C:\\Windows\\SysWOW64\\YUPIRK\\FOE.exe" C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\YUPIRK\FOE.004 C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\YUPIRK\FOE.001 C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\YUPIRK\FOE.002 C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\YUPIRK\FOE.exe C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\YUPIRK\ C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A
N/A N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A
N/A N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A
N/A N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe"

C:\Windows\SysWOW64\YUPIRK\FOE.exe

"C:\Windows\system32\YUPIRK\FOE.exe"

C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe

"C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe"

Network

N/A

Files

\Windows\SysWOW64\YUPIRK\FOE.exe

MD5 78dd492b06d03744d1954781d33775ca
SHA1 ef9462193e6ba7be64458ea1be6afcaeadc574b1
SHA256 c0664f94e9b2a7817f79b9457c31e524ef72ed7c073e79546d67e857b4637ede
SHA512 f88734970018f46b8c4ce350cccf577ac056957e933deb493becbc30b7165834ca68db423850220f8944b364dc97e1423247192faf4f3e4db85cf25c4576eef9

memory/2484-13-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Windows\SysWOW64\YUPIRK\FOE.004

MD5 464347ea2485f7510c1c127cf6cebf2f
SHA1 8d31e5f1b2a4b912cd3a9facd34ee0d51d089dcb
SHA256 e2d69466e60ab756962c932744fabdd5f8323a958747e59de576cb4c92554797
SHA512 2c200554ed3c0c9a8ef1dd3385f7f44a661d98d0f3fd5d43d64a6e38d43e70cc49ac698b2087e4ede3403b7547489d124dc86d6057303a6b6c5a75572b0320ac

C:\Windows\SysWOW64\YUPIRK\FOE.002

MD5 af3efaa90f29f6506693136ae1674fc7
SHA1 897aea8f6df7e29d43954512fc390b97c0eb4550
SHA256 4658d92f74df5ee142c08157985e25e41f74aaaa4256df9dfc9a011b7c3f0f44
SHA512 1a87ce2d0767204b1d636ce70c083c71f5cfa064680218906ff86c233968baca7ef605f2b1d9bfaf8326a8cbff7074ace766604b283c1a2b50d5788038dc9863

C:\Windows\SysWOW64\YUPIRK\FOE.001

MD5 5b79ad0d1d30119158b5ab4147edbd96
SHA1 6f802d57d49d7063e40b7bebafa8fb1051e0a907
SHA256 4ccebd38ac000cbc33a6cfc2e87e900ef64ba4b978f3facfdb5870e217ac3ff7
SHA512 497e3eff3c7356cf12efd153b651d1a1ef2cb07302eb5b71dcff0d6732e5273bcff5f82897dff85cdaae0bc159fa9c4588e3bc90ab12521532675bf116757c6b

\Users\Admin\AppData\Local\Temp\msnmsgr.exe

MD5 fdec512cb8752174649d3a513893938a
SHA1 9abd77cbe226d820997af6dc47d3e71b2fe3d254
SHA256 d5048027c7530d6b7f0c9dd7436f755fa328d4819fca9a1b95fcc8af906096b2
SHA512 1258301b2f3e9e7a19c92644cfad73b7db57a35277497315f78603d7ecf1c01e43beeeee6a01f7f23044e360935537369993426a3d4249261a79bec662171cfa

memory/2484-25-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 22:17

Reported

2024-07-23 22:19

Platform

win10v2004-20240709-en

Max time kernel

134s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FOE Start = "C:\\Windows\\SysWOW64\\YUPIRK\\FOE.exe" C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\YUPIRK\ C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A
File created C:\Windows\SysWOW64\YUPIRK\FOE.004 C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\YUPIRK\FOE.001 C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\YUPIRK\FOE.002 C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\YUPIRK\FOE.exe C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A
N/A N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A
N/A N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A
N/A N/A C:\Windows\SysWOW64\YUPIRK\FOE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\692a17f0316e72f95c2865d2e3a75da5_JaffaCakes118.exe"

C:\Windows\SysWOW64\YUPIRK\FOE.exe

"C:\Windows\system32\YUPIRK\FOE.exe"

C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe

"C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Windows\SysWOW64\YUPIRK\FOE.exe

MD5 78dd492b06d03744d1954781d33775ca
SHA1 ef9462193e6ba7be64458ea1be6afcaeadc574b1
SHA256 c0664f94e9b2a7817f79b9457c31e524ef72ed7c073e79546d67e857b4637ede
SHA512 f88734970018f46b8c4ce350cccf577ac056957e933deb493becbc30b7165834ca68db423850220f8944b364dc97e1423247192faf4f3e4db85cf25c4576eef9

C:\Windows\SysWOW64\YUPIRK\FOE.004

MD5 464347ea2485f7510c1c127cf6cebf2f
SHA1 8d31e5f1b2a4b912cd3a9facd34ee0d51d089dcb
SHA256 e2d69466e60ab756962c932744fabdd5f8323a958747e59de576cb4c92554797
SHA512 2c200554ed3c0c9a8ef1dd3385f7f44a661d98d0f3fd5d43d64a6e38d43e70cc49ac698b2087e4ede3403b7547489d124dc86d6057303a6b6c5a75572b0320ac

C:\Windows\SysWOW64\YUPIRK\FOE.002

MD5 af3efaa90f29f6506693136ae1674fc7
SHA1 897aea8f6df7e29d43954512fc390b97c0eb4550
SHA256 4658d92f74df5ee142c08157985e25e41f74aaaa4256df9dfc9a011b7c3f0f44
SHA512 1a87ce2d0767204b1d636ce70c083c71f5cfa064680218906ff86c233968baca7ef605f2b1d9bfaf8326a8cbff7074ace766604b283c1a2b50d5788038dc9863

memory/3532-15-0x0000000000A30000-0x0000000000A31000-memory.dmp

C:\Windows\SysWOW64\YUPIRK\FOE.001

MD5 5b79ad0d1d30119158b5ab4147edbd96
SHA1 6f802d57d49d7063e40b7bebafa8fb1051e0a907
SHA256 4ccebd38ac000cbc33a6cfc2e87e900ef64ba4b978f3facfdb5870e217ac3ff7
SHA512 497e3eff3c7356cf12efd153b651d1a1ef2cb07302eb5b71dcff0d6732e5273bcff5f82897dff85cdaae0bc159fa9c4588e3bc90ab12521532675bf116757c6b

C:\Users\Admin\AppData\Local\Temp\msnmsgr.exe

MD5 fdec512cb8752174649d3a513893938a
SHA1 9abd77cbe226d820997af6dc47d3e71b2fe3d254
SHA256 d5048027c7530d6b7f0c9dd7436f755fa328d4819fca9a1b95fcc8af906096b2
SHA512 1258301b2f3e9e7a19c92644cfad73b7db57a35277497315f78603d7ecf1c01e43beeeee6a01f7f23044e360935537369993426a3d4249261a79bec662171cfa

memory/3532-27-0x0000000000A30000-0x0000000000A31000-memory.dmp