Malware Analysis Report

2024-10-18 23:06

Sample ID 240723-n56hvsvbqh
Target 6782327239a5270825d476b7de67501b_JaffaCakes118
SHA256 954828111dfe35f4efdea985d83e58c60a922acbfe4047f8ee396e7acbb816af
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

954828111dfe35f4efdea985d83e58c60a922acbfe4047f8ee396e7acbb816af

Threat Level: Known bad

The file 6782327239a5270825d476b7de67501b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 11:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 11:59

Reported

2024-07-23 12:15

Platform

win7-20240704-en

Max time kernel

120s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVW Start = "C:\\Windows\\SysWOW64\\FRMYNM\\AVW.exe" C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\FRMYNM\AVW.002 C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\FRMYNM\AVW.exe C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\FRMYNM\ C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A
File created C:\Windows\SysWOW64\FRMYNM\AVW.004 C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\FRMYNM\AVW.001 C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A
N/A N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A
N/A N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A
N/A N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe"

C:\Windows\SysWOW64\FRMYNM\AVW.exe

"C:\Windows\system32\FRMYNM\AVW.exe"

Network

N/A

Files

\Windows\SysWOW64\FRMYNM\AVW.exe

MD5 f3819a6cab8ae058254c4abb3844d87e
SHA1 0f8b1a74af87f1823ec0d76e21a8d54d55a53a8b
SHA256 3d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9
SHA512 dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57

C:\Windows\SysWOW64\FRMYNM\AVW.001

MD5 a15c556f17d7db8287e023138942d5db
SHA1 880bf8ec944120830dc2e2e040e5996e4e0e6c83
SHA256 f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e
SHA512 930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

C:\Windows\SysWOW64\FRMYNM\AVW.002

MD5 daabecdfba287a3333b60ae82211acd7
SHA1 e67b4c7bf0dd71ad47263a58bb60be4bce504b84
SHA256 12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173
SHA512 937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

C:\Windows\SysWOW64\FRMYNM\AVW.004

MD5 9cd45fefa6a2a4cd9a24a336897d900e
SHA1 1dcee26c0345e5e316778b9003096276a2b7f8eb
SHA256 a957025c5ca7dba2a64985671d9e644fc059953647ca1667833d22afdee1b6e6
SHA512 70a66e193b42af399585069385e92d78f86983ab497414ac01742a0fb23864330687305f3ea3652d0b1fb10c37c1000a2edb8924230fe3fd3ff81e94ac345462

memory/2176-13-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2176-15-0x00000000001C0000-0x00000000001C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 11:59

Reported

2024-07-23 12:16

Platform

win10v2004-20240709-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVW Start = "C:\\Windows\\SysWOW64\\FRMYNM\\AVW.exe" C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\FRMYNM\ C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A
File created C:\Windows\SysWOW64\FRMYNM\AVW.004 C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\FRMYNM\AVW.001 C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\FRMYNM\AVW.002 C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\FRMYNM\AVW.exe C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A
N/A N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A
N/A N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A
N/A N/A C:\Windows\SysWOW64\FRMYNM\AVW.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6782327239a5270825d476b7de67501b_JaffaCakes118.exe"

C:\Windows\SysWOW64\FRMYNM\AVW.exe

"C:\Windows\system32\FRMYNM\AVW.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Windows\SysWOW64\FRMYNM\AVW.exe

MD5 f3819a6cab8ae058254c4abb3844d87e
SHA1 0f8b1a74af87f1823ec0d76e21a8d54d55a53a8b
SHA256 3d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9
SHA512 dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57

C:\Windows\SysWOW64\FRMYNM\AVW.004

MD5 9cd45fefa6a2a4cd9a24a336897d900e
SHA1 1dcee26c0345e5e316778b9003096276a2b7f8eb
SHA256 a957025c5ca7dba2a64985671d9e644fc059953647ca1667833d22afdee1b6e6
SHA512 70a66e193b42af399585069385e92d78f86983ab497414ac01742a0fb23864330687305f3ea3652d0b1fb10c37c1000a2edb8924230fe3fd3ff81e94ac345462

C:\Windows\SysWOW64\FRMYNM\AVW.002

MD5 daabecdfba287a3333b60ae82211acd7
SHA1 e67b4c7bf0dd71ad47263a58bb60be4bce504b84
SHA256 12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173
SHA512 937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

C:\Windows\SysWOW64\FRMYNM\AVW.001

MD5 a15c556f17d7db8287e023138942d5db
SHA1 880bf8ec944120830dc2e2e040e5996e4e0e6c83
SHA256 f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e
SHA512 930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

memory/2084-15-0x0000000000720000-0x0000000000721000-memory.dmp