Malware Analysis Report

2024-10-18 23:06

Sample ID 240724-2h5jyavaka
Target 6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118
SHA256 462d38268ad721761fc38102a512b1289ae696438a3df77402c83164858dacfb
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

462d38268ad721761fc38102a512b1289ae696438a3df77402c83164858dacfb

Threat Level: Known bad

The file 6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax main executable

Ardamax

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 22:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 22:35

Reported

2024-07-24 22:40

Platform

win7-20240708-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CWHQ Agent = "C:\\Windows\\SysWOW64\\28463\\CWHQ.exe" C:\Windows\SysWOW64\28463\CWHQ.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\CWHQ.006 C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\CWHQ.007 C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\CWHQ.exe C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\CWHQ.004 C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\CWHQ.003 C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\CWHQ.exe N/A
File created C:\Windows\SysWOW64\28463\CWHQ.001 C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\CWHQ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe"

C:\Windows\SysWOW64\28463\CWHQ.exe

"C:\Windows\system32\28463\CWHQ.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\@90CB.tmp

MD5 ac2120f3b2fb824a5c1f3752dc944d21
SHA1 8bfbf3887103e886736e0802f88ed860a450856e
SHA256 fd9c203a32eec0afe4ab1e3ae02c68ac27649120bb3f0af68852ba487384ecaf
SHA512 474d77a27e3553aa58b394e77317a770f700f59580820741269e6c4746e664ce483a33a51baecd45ef4ac1a13e451a2c47d95c9abb79c7bc5cf902646f78c90f

C:\Windows\SysWOW64\28463\CWHQ.exe

MD5 0c7a714b8e1d2ead2afc90dcc43bbe18
SHA1 66736613f22771f5da5606ed8c80b572b3f5c103
SHA256 800bdf00e09f302a17e22d26dffbea037e3c077ef9f6d1d585c114f079397a9e
SHA512 35db0de86c168eb6302dcbaa1e1f9ec96b5a8814e7067e1a7bb682e9f35fc06c51148a08e6f7df1e8caeb2effde555c53966a8922e8fef6b7ce194dc81c984b4

C:\Windows\SysWOW64\28463\CWHQ.001

MD5 cb25f52ec11c130e7535993fbe0b7bbc
SHA1 35472ca9db421ec57dc893a592caf878fdeee9f8
SHA256 699285bb92c66ee2e1099fa26a6227ca5ea0048f1b3b750b2fd4a9cfd8204e12
SHA512 c5d47e8c6dd566d80df348db8f76cb86054c52f1725360d0a7657bdb67f217918b489b39a4f478f40d307ad1f595504f847ed3c00c1c5e575ce11b755a3eaeab

C:\Windows\SysWOW64\28463\CWHQ.004

MD5 63449cfad50b3f5669f0da2a84789489
SHA1 a76f624701c41d8b38b67664411f9eae8c6da071
SHA256 23048dadf243aa6c88a42784cf774622a51637292eb4a83b6d8c3cbc02003ca8
SHA512 42aa6929d775354d2ca3c77cf257efbed30b4dba65ec14d547b14bda0dcf3aa5234a120d11525f9b6cc9d491691047aad21a4e3652a98e3ab3a3c265edb9eda9

C:\Windows\SysWOW64\28463\CWHQ.006

MD5 8499922ab422c17e550a724083be50c7
SHA1 914aa24da69f9882d12d7d7cceae38de4dbcad1c
SHA256 894ff0262900acdc5b0266f75b2db829d3dec9a059f28888d5c0997d5b76db8a
SHA512 9d2e7619c7e8e459449a7f70d581ae52a1d33ba1c90b2a14812c2a44474451dc06e78a8e410aae5e7caf9306bbe739b1eeca1a1bc167498a982d9f1320dbbd1b

C:\Windows\SysWOW64\28463\CWHQ.007

MD5 b128c2f3eafaff6725ed554a2a21b72f
SHA1 377c206483b5348eb4b657363d29cae830be0b8c
SHA256 b9939a330a7cf6d9947a2b3ffb52170a35d5927e401016e7694fdd24ba1aa4ef
SHA512 3de5ec44becf7520d7ae32764b4636a1d727ab92d192fd92d725d6d308067e331f88e62f3cd9a4a334eb1d9e2ea44bf30f14ebd4e4f2877cdbd6b7bf0ed771c8

memory/1676-26-0x00000000001E0000-0x00000000001E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 22:35

Reported

2024-07-24 22:39

Platform

win10v2004-20240709-en

Max time kernel

137s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CWHQ Agent = "C:\\Windows\\SysWOW64\\28463\\CWHQ.exe" C:\Windows\SysWOW64\28463\CWHQ.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\CWHQ.exe N/A
File created C:\Windows\SysWOW64\28463\CWHQ.001 C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\CWHQ.006 C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\CWHQ.007 C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\CWHQ.exe C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\CWHQ.004 C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\CWHQ.003 C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\CWHQ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\CWHQ.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6d0fc6c574fcb31889d1333ce89789ed_JaffaCakes118.exe"

C:\Windows\SysWOW64\28463\CWHQ.exe

"C:\Windows\system32\28463\CWHQ.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\@BE2F.tmp

MD5 ac2120f3b2fb824a5c1f3752dc944d21
SHA1 8bfbf3887103e886736e0802f88ed860a450856e
SHA256 fd9c203a32eec0afe4ab1e3ae02c68ac27649120bb3f0af68852ba487384ecaf
SHA512 474d77a27e3553aa58b394e77317a770f700f59580820741269e6c4746e664ce483a33a51baecd45ef4ac1a13e451a2c47d95c9abb79c7bc5cf902646f78c90f

C:\Windows\SysWOW64\28463\CWHQ.exe

MD5 0c7a714b8e1d2ead2afc90dcc43bbe18
SHA1 66736613f22771f5da5606ed8c80b572b3f5c103
SHA256 800bdf00e09f302a17e22d26dffbea037e3c077ef9f6d1d585c114f079397a9e
SHA512 35db0de86c168eb6302dcbaa1e1f9ec96b5a8814e7067e1a7bb682e9f35fc06c51148a08e6f7df1e8caeb2effde555c53966a8922e8fef6b7ce194dc81c984b4

C:\Windows\SysWOW64\28463\CWHQ.001

MD5 cb25f52ec11c130e7535993fbe0b7bbc
SHA1 35472ca9db421ec57dc893a592caf878fdeee9f8
SHA256 699285bb92c66ee2e1099fa26a6227ca5ea0048f1b3b750b2fd4a9cfd8204e12
SHA512 c5d47e8c6dd566d80df348db8f76cb86054c52f1725360d0a7657bdb67f217918b489b39a4f478f40d307ad1f595504f847ed3c00c1c5e575ce11b755a3eaeab

C:\Windows\SysWOW64\28463\CWHQ.007

MD5 b128c2f3eafaff6725ed554a2a21b72f
SHA1 377c206483b5348eb4b657363d29cae830be0b8c
SHA256 b9939a330a7cf6d9947a2b3ffb52170a35d5927e401016e7694fdd24ba1aa4ef
SHA512 3de5ec44becf7520d7ae32764b4636a1d727ab92d192fd92d725d6d308067e331f88e62f3cd9a4a334eb1d9e2ea44bf30f14ebd4e4f2877cdbd6b7bf0ed771c8

C:\Windows\SysWOW64\28463\CWHQ.006

MD5 8499922ab422c17e550a724083be50c7
SHA1 914aa24da69f9882d12d7d7cceae38de4dbcad1c
SHA256 894ff0262900acdc5b0266f75b2db829d3dec9a059f28888d5c0997d5b76db8a
SHA512 9d2e7619c7e8e459449a7f70d581ae52a1d33ba1c90b2a14812c2a44474451dc06e78a8e410aae5e7caf9306bbe739b1eeca1a1bc167498a982d9f1320dbbd1b

C:\Windows\SysWOW64\28463\CWHQ.004

MD5 63449cfad50b3f5669f0da2a84789489
SHA1 a76f624701c41d8b38b67664411f9eae8c6da071
SHA256 23048dadf243aa6c88a42784cf774622a51637292eb4a83b6d8c3cbc02003ca8
SHA512 42aa6929d775354d2ca3c77cf257efbed30b4dba65ec14d547b14bda0dcf3aa5234a120d11525f9b6cc9d491691047aad21a4e3652a98e3ab3a3c265edb9eda9

memory/2300-25-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/2300-29-0x0000000000A80000-0x0000000000A81000-memory.dmp