Malware Analysis Report

2024-10-18 23:06

Sample ID 240723-n6djgavbrg
Target 67828d5328ffd67101fef37f4d87a438_JaffaCakes118
SHA256 e55d71db4bff8fc80937747b48a0458bb3658b20be8b2a714a29d131bc5e3b4f
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e55d71db4bff8fc80937747b48a0458bb3658b20be8b2a714a29d131bc5e3b4f

Threat Level: Known bad

The file 67828d5328ffd67101fef37f4d87a438_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax main executable

Ardamax

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 12:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 12:00

Reported

2024-07-23 12:15

Platform

win7-20240704-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\JEVKYI\QST.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A
N/A N/A C:\Windows\JEVKYI\QST.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QST Start = "C:\\Windows\\JEVKYI\\QST.exe" C:\Windows\JEVKYI\QST.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\JEVKYI\QST.004 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A
File created C:\Windows\JEVKYI\QST.001 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A
File created C:\Windows\JEVKYI\QST.002 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A
File created C:\Windows\JEVKYI\AKV.exe C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A
File created C:\Windows\JEVKYI\QST.003 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A
File created C:\Windows\JEVKYI\QST.exe C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A
File opened for modification C:\Windows\JEVKYI\ C:\Windows\JEVKYI\QST.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\JEVKYI\QST.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\JEVKYI\QST.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\JEVKYI\QST.exe N/A
N/A N/A C:\Windows\JEVKYI\QST.exe N/A
N/A N/A C:\Windows\JEVKYI\QST.exe N/A
N/A N/A C:\Windows\JEVKYI\QST.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe"

C:\Windows\JEVKYI\QST.exe

"C:\Windows\JEVKYI\QST.exe"

Network

N/A

Files

\Windows\JEVKYI\QST.exe

MD5 f8530f0dfe90c7c1e20239b0a7643041
SHA1 3e0208ab84b8444a69c8d62ad0b81c4186395802
SHA256 734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4
SHA512 5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

memory/1312-18-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Windows\JEVKYI\QST.004

MD5 8ebb21a9b2a6004661b2842a01fc1dbe
SHA1 1b422d7715ce3819d35bcda5f9c7cd62059c8a00
SHA256 7bcf2bef8434be143c6ee76039f14f4e30be73843fda6b40a549552974bfb639
SHA512 7589d6bdddcd24d03ebc3dba01e759b51ac9e9bb93d22d87152b3950a7650f2b6d83631e79f7b8f417b5ee4574dd558e93d83ac26be994430a1e2447b5beb1cb

C:\Windows\JEVKYI\QST.003

MD5 f47e8f65618e1b1f7e1720713f5a8c4c
SHA1 abad8e9e13b1e41f2af86e3c16526c6f2d05d952
SHA256 f170be2582c82ea131e1f688eea6e1cd17d14e6a9bb805b6aed2791e625a74d8
SHA512 635d617dbd15d00e2f7470857531b9820439a8816f2c74b3d83156599537ff42e26ea7d769863f2768eb2770ba9c47b1a10eb3e2677fe92b9eda6ae51da18dcb

C:\Windows\JEVKYI\QST.002

MD5 12fb4f589942682a478b7c7881dfcba2
SHA1 a3d490c6cda965708a1ff6a0dc4e88037e0d6336
SHA256 4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d
SHA512 dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

C:\Windows\JEVKYI\QST.001

MD5 425ff37c76030ca0eb60321eedd4afdd
SHA1 7dde5e9ce5c4057d3db149f323fa43ed29d90e09
SHA256 70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24
SHA512 ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

C:\Windows\JEVKYI\AKV.exe

MD5 eb916da4abe4ff314662089013c8f832
SHA1 1e7e611cc6922a2851bcf135806ab51cdb499efa
SHA256 96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061
SHA512 d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

memory/1312-20-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 12:00

Reported

2024-07-23 12:16

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\JEVKYI\QST.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\JEVKYI\QST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QST Start = "C:\\Windows\\JEVKYI\\QST.exe" C:\Windows\JEVKYI\QST.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\JEVKYI\ C:\Windows\JEVKYI\QST.exe N/A
File created C:\Windows\JEVKYI\QST.004 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A
File created C:\Windows\JEVKYI\QST.001 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A
File created C:\Windows\JEVKYI\QST.002 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A
File created C:\Windows\JEVKYI\AKV.exe C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A
File created C:\Windows\JEVKYI\QST.003 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A
File created C:\Windows\JEVKYI\QST.exe C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\JEVKYI\QST.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\JEVKYI\QST.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\JEVKYI\QST.exe N/A
N/A N/A C:\Windows\JEVKYI\QST.exe N/A
N/A N/A C:\Windows\JEVKYI\QST.exe N/A
N/A N/A C:\Windows\JEVKYI\QST.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438_JaffaCakes118.exe"

C:\Windows\JEVKYI\QST.exe

"C:\Windows\JEVKYI\QST.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 37.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Windows\JEVKYI\QST.exe

MD5 f8530f0dfe90c7c1e20239b0a7643041
SHA1 3e0208ab84b8444a69c8d62ad0b81c4186395802
SHA256 734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4
SHA512 5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

C:\Windows\JEVKYI\QST.004

MD5 8ebb21a9b2a6004661b2842a01fc1dbe
SHA1 1b422d7715ce3819d35bcda5f9c7cd62059c8a00
SHA256 7bcf2bef8434be143c6ee76039f14f4e30be73843fda6b40a549552974bfb639
SHA512 7589d6bdddcd24d03ebc3dba01e759b51ac9e9bb93d22d87152b3950a7650f2b6d83631e79f7b8f417b5ee4574dd558e93d83ac26be994430a1e2447b5beb1cb

C:\Windows\JEVKYI\QST.003

MD5 f47e8f65618e1b1f7e1720713f5a8c4c
SHA1 abad8e9e13b1e41f2af86e3c16526c6f2d05d952
SHA256 f170be2582c82ea131e1f688eea6e1cd17d14e6a9bb805b6aed2791e625a74d8
SHA512 635d617dbd15d00e2f7470857531b9820439a8816f2c74b3d83156599537ff42e26ea7d769863f2768eb2770ba9c47b1a10eb3e2677fe92b9eda6ae51da18dcb

memory/2064-20-0x0000000000B40000-0x0000000000B41000-memory.dmp

C:\Windows\JEVKYI\QST.002

MD5 12fb4f589942682a478b7c7881dfcba2
SHA1 a3d490c6cda965708a1ff6a0dc4e88037e0d6336
SHA256 4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d
SHA512 dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

C:\Windows\JEVKYI\QST.001

MD5 425ff37c76030ca0eb60321eedd4afdd
SHA1 7dde5e9ce5c4057d3db149f323fa43ed29d90e09
SHA256 70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24
SHA512 ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

C:\Windows\JEVKYI\AKV.exe

MD5 eb916da4abe4ff314662089013c8f832
SHA1 1e7e611cc6922a2851bcf135806ab51cdb499efa
SHA256 96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061
SHA512 d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

memory/2064-23-0x0000000000B40000-0x0000000000B41000-memory.dmp