Malware Analysis Report

2024-10-18 23:06

Sample ID 240723-lp32payhpd
Target 6710a47a92418d07842bc390f46fd528_JaffaCakes118
SHA256 c3a9195f011e754d6dee51969cd29769bf6b619215ce3d02562f289e42a1cd15
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3a9195f011e754d6dee51969cd29769bf6b619215ce3d02562f289e42a1cd15

Threat Level: Known bad

The file 6710a47a92418d07842bc390f46fd528_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax main executable

Ardamax

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 09:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 09:43

Reported

2024-07-23 10:18

Platform

win7-20240708-en

Max time kernel

14s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6710a47a92418d07842bc390f46fd528_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\ETYW.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ETYW Agent = "C:\\Windows\\SysWOW64\\28463\\ETYW.exe" C:\Windows\SysWOW64\28463\ETYW.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\ETYW.001 C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe N/A
File created C:\Windows\SysWOW64\28463\ETYW.006 C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe N/A
File created C:\Windows\SysWOW64\28463\ETYW.007 C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe N/A
File created C:\Windows\SysWOW64\28463\ETYW.exe C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\ETYW.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\ETYW.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\ETYW.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\ETYW.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\ETYW.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\ETYW.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\ETYW.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\ETYW.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6710a47a92418d07842bc390f46fd528_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6710a47a92418d07842bc390f46fd528_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe

"C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe"

C:\Windows\SysWOW64\28463\ETYW.exe

"C:\Windows\system32\28463\ETYW.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\VSK 3.0.exe

MD5 fc6f53d0c0189de5d979ef0ddfbe799e
SHA1 0e01696ac6ef1ab292c97c6cee225699383785c5
SHA256 9407cd0ffc4a081a2cfbfdffdeb67cdd8636348717d00cef319998019e4317db
SHA512 334160b1cc05af4bf95dffc4ee0921c3589d67b8146e1473d649657303e4a035341de08e3139c5a2f74bdb2df83afe244370a0b0c15848eee9f986371d93ba4c

\Users\Admin\AppData\Local\Temp\@864F.tmp

MD5 908f7f4b0cf93759447afca95cd84aa6
SHA1 d1903a49b211bcb4a460904019ee7441420aa961
SHA256 3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23
SHA512 958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

C:\Windows\SysWOW64\28463\ETYW.exe

MD5 d7bd4739313a8e2fc9e080b7d0ba13b2
SHA1 808fcbe663bc02780b1d9962873a1e3066d55f05
SHA256 c9b47519386b1b7cd6dfecd42e586883d301b7a99c0c3d67a4beabc3ae3dcd6b
SHA512 d70e04444a2cc0f5b1fc5c81873b2c93582afa013f9aafe0e7c0eaaac36582b736b6ad8ef23a3d3aa4e3541fd478cbdcb8596dd4d233ada85f861c858c94b398

C:\Users\Admin\AppData\Local\Temp\VSK 3.0.rar

MD5 069cbaf27c7990208595ce367717de0f
SHA1 4c3d9b1a28ca0e0b090e24ae22d2d0d58d7deddb
SHA256 8df8ec3539239badd2e0723d6745034faf3bb9047d3e4be4d0431154c162d3c6
SHA512 d9bc6d38563867eb7e5d2edd230bc1e1b26abcf9cd48e87b6072e6ff67ccc29d8137ca6fbfd1bb02800aa774e78b0ceb9f4ef88093b67b7ff7713797341177f3

C:\Windows\SysWOW64\28463\ETYW.007

MD5 ca72cd485d116033f1b776903ce7ee0a
SHA1 85b0b73a75b0498f56200dd1a5cf0de5371e42a3
SHA256 e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4
SHA512 8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

C:\Windows\SysWOW64\28463\ETYW.006

MD5 e0fcfa7cad88d1a8a462cee6b06cf668
SHA1 a7e49078517abc929a6da261df06556c8f5a8cf0
SHA256 340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4
SHA512 430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

memory/2816-36-0x0000000000250000-0x0000000000251000-memory.dmp

C:\Windows\SysWOW64\28463\ETYW.001

MD5 b0c0fd6d05dce3ef4ed77b5c76d845a1
SHA1 7cf746f2c10607149e61ed7f7eb78458078ed7c3
SHA256 0b02dd42de0fa12b16f6e4f5373793accf71bbb3ad7ce691c50800b01a8ba043
SHA512 4c01e07cc782f2cbdd84454948ef47f13c41e752559b3abffd2100e475f356fdb396c90367b2c5f5d1cffc702b87379840a59a492105530ab8ae55ddff7bb42d

C:\Windows\SysWOW64\28463\AKV.exe

MD5 b0b09699ea39c0107af1c0833f07c054
SHA1 b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1
SHA256 be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1
SHA512 55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 09:43

Reported

2024-07-23 10:18

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6710a47a92418d07842bc390f46fd528_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\ETYW.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ETYW Agent = "C:\\Windows\\SysWOW64\\28463\\ETYW.exe" C:\Windows\SysWOW64\28463\ETYW.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\ETYW.exe N/A
File created C:\Windows\SysWOW64\28463\ETYW.001 C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe N/A
File created C:\Windows\SysWOW64\28463\ETYW.006 C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe N/A
File created C:\Windows\SysWOW64\28463\ETYW.007 C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe N/A
File created C:\Windows\SysWOW64\28463\ETYW.exe C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6710a47a92418d07842bc390f46fd528_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\ETYW.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\ETYW.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6710a47a92418d07842bc390f46fd528_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6710a47a92418d07842bc390f46fd528_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe

"C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\28463\ETYW.exe

"C:\Windows\system32\28463\ETYW.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\VSK 3.0.exe

MD5 fc6f53d0c0189de5d979ef0ddfbe799e
SHA1 0e01696ac6ef1ab292c97c6cee225699383785c5
SHA256 9407cd0ffc4a081a2cfbfdffdeb67cdd8636348717d00cef319998019e4317db
SHA512 334160b1cc05af4bf95dffc4ee0921c3589d67b8146e1473d649657303e4a035341de08e3139c5a2f74bdb2df83afe244370a0b0c15848eee9f986371d93ba4c

C:\Users\Admin\AppData\Local\Temp\@ACF9.tmp

MD5 908f7f4b0cf93759447afca95cd84aa6
SHA1 d1903a49b211bcb4a460904019ee7441420aa961
SHA256 3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23
SHA512 958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

C:\Windows\SysWOW64\28463\ETYW.exe

MD5 d7bd4739313a8e2fc9e080b7d0ba13b2
SHA1 808fcbe663bc02780b1d9962873a1e3066d55f05
SHA256 c9b47519386b1b7cd6dfecd42e586883d301b7a99c0c3d67a4beabc3ae3dcd6b
SHA512 d70e04444a2cc0f5b1fc5c81873b2c93582afa013f9aafe0e7c0eaaac36582b736b6ad8ef23a3d3aa4e3541fd478cbdcb8596dd4d233ada85f861c858c94b398

C:\Users\Admin\AppData\Local\Temp\VSK 3.0.rar

MD5 069cbaf27c7990208595ce367717de0f
SHA1 4c3d9b1a28ca0e0b090e24ae22d2d0d58d7deddb
SHA256 8df8ec3539239badd2e0723d6745034faf3bb9047d3e4be4d0431154c162d3c6
SHA512 d9bc6d38563867eb7e5d2edd230bc1e1b26abcf9cd48e87b6072e6ff67ccc29d8137ca6fbfd1bb02800aa774e78b0ceb9f4ef88093b67b7ff7713797341177f3

C:\Windows\SysWOW64\28463\ETYW.007

MD5 ca72cd485d116033f1b776903ce7ee0a
SHA1 85b0b73a75b0498f56200dd1a5cf0de5371e42a3
SHA256 e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4
SHA512 8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

C:\Windows\SysWOW64\28463\ETYW.006

MD5 e0fcfa7cad88d1a8a462cee6b06cf668
SHA1 a7e49078517abc929a6da261df06556c8f5a8cf0
SHA256 340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4
SHA512 430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

C:\Windows\SysWOW64\28463\ETYW.001

MD5 b0c0fd6d05dce3ef4ed77b5c76d845a1
SHA1 7cf746f2c10607149e61ed7f7eb78458078ed7c3
SHA256 0b02dd42de0fa12b16f6e4f5373793accf71bbb3ad7ce691c50800b01a8ba043
SHA512 4c01e07cc782f2cbdd84454948ef47f13c41e752559b3abffd2100e475f356fdb396c90367b2c5f5d1cffc702b87379840a59a492105530ab8ae55ddff7bb42d

C:\Windows\SysWOW64\28463\AKV.exe

MD5 b0b09699ea39c0107af1c0833f07c054
SHA1 b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1
SHA256 be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1
SHA512 55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796