Malware Analysis Report

2024-10-18 23:06

Sample ID 240724-bvzlcazfqk
Target 69becb50f203005745189b9766f9c18d_JaffaCakes118
SHA256 9a123cb7b8357158b5f9aae0e3210946e3c2fffd97a9a2924ed94928eb078717
Tags
ardamax discovery evasion keylogger persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a123cb7b8357158b5f9aae0e3210946e3c2fffd97a9a2924ed94928eb078717

Threat Level: Known bad

The file 69becb50f203005745189b9766f9c18d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery evasion keylogger persistence stealer trojan

Ardamax

Ardamax main executable

Executes dropped EXE

Loads dropped DLL

Identifies Wine through registry keys

Checks computer location settings

Drops desktop.ini file(s)

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 01:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 01:28

Reported

2024-07-24 01:32

Platform

win7-20240704-en

Max time kernel

121s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\ALNVUA\KBO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Engine.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\Engine.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KBO Start = "C:\\Windows\\ALNVUA\\KBO.exe" C:\Windows\ALNVUA\KBO.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Engine.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Engine.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ALNVUA\AKV.exe C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe N/A
File created C:\Windows\ALNVUA\KBO.exe C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\ALNVUA\ C:\Windows\ALNVUA\KBO.exe N/A
File created C:\Windows\ALNVUA\KBO.004 C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe N/A
File created C:\Windows\ALNVUA\KBO.001 C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe N/A
File created C:\Windows\ALNVUA\KBO.002 C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ALNVUA\KBO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Engine.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Engine.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\ALNVUA\KBO.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\ALNVUA\KBO.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\ALNVUA\KBO.exe N/A
N/A N/A C:\Windows\ALNVUA\KBO.exe N/A
N/A N/A C:\Windows\ALNVUA\KBO.exe N/A
N/A N/A C:\Windows\ALNVUA\KBO.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe"

C:\Windows\ALNVUA\KBO.exe

"C:\Windows\ALNVUA\KBO.exe"

C:\Users\Admin\AppData\Local\Temp\Engine.exe

"C:\Users\Admin\AppData\Local\Temp\Engine.exe"

Network

N/A

Files

\Windows\ALNVUA\KBO.exe

MD5 f8530f0dfe90c7c1e20239b0a7643041
SHA1 3e0208ab84b8444a69c8d62ad0b81c4186395802
SHA256 734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4
SHA512 5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

memory/2504-16-0x00000000001C0000-0x00000000001C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\Engine.exe

MD5 0a7088290907a546dcfc6f0f46c76911
SHA1 f771b96088197ed80a69c71f7fd86bbf5a5529c7
SHA256 3034de791af1d7551d95955bce62f46ecd071c0357ceebd3bd75d3e98dc7860a
SHA512 eb6e7aa9e27f814e12f35677de31006421dadbd112a168b89b4b2586c95f566caec14cf7af103c99fccf32a9950004ad490b103624cc7e1f07aadbd63969897d

memory/2304-24-0x0000000003440000-0x0000000003BA0000-memory.dmp

\Windows\ALNVUA\KBO.001

MD5 b8cb0e28a65b57b7633a043ffdd0721b
SHA1 4aeaed92614d0a1fd64ae6c1e85a655de4570884
SHA256 678f7579dd4f01bd9837aece3fd6a8634d16e7bcc6583cf7764212fae4170a8b
SHA512 c781b4c4f86f036b4443a8af0072e59f23c54d20e44c1ee068dacd7ac0f7e324192cccb64a158db3000c78994da826e8394587ef8144b83179b5cc531120e2ab

memory/2832-25-0x0000000000460000-0x0000000000BC0000-memory.dmp

C:\Windows\ALNVUA\KBO.004

MD5 ac411f814c229d18c9da246ccf791350
SHA1 77a2058af852e5aab4cda426329a081b41e39a53
SHA256 52f676a5ce1c57b7bb7322ccefc1a338afd4082fb6bb8a5a3a9802dd5b262165
SHA512 f0583630bf459d5d536caa94fbdf49ebe3bd4802ebf4e10cf156855b82225f63ea25e1f5e2a836ea5b1f508653065f79cdf89294f1dcc8690e37c66dd419f4f3

C:\Windows\ALNVUA\KBO.002

MD5 12fb4f589942682a478b7c7881dfcba2
SHA1 a3d490c6cda965708a1ff6a0dc4e88037e0d6336
SHA256 4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d
SHA512 dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

C:\Windows\ALNVUA\AKV.exe

MD5 cf351b0f765da7abc49fa60b03144301
SHA1 2018df7a0bb13d4d6d9929ad66ab8e033697dd41
SHA256 5ad7008ad4202a29b1a45d55625db3c583216934cbac6aa4c1414f69ed8e6693
SHA512 545757d3040a1afed3680c4629bc078b26295216b88213fe0f7934d559000bb4f54e3f737bc64301b147980118417ed0e5d03e5d0d28770797e8e37e1cf853f5

memory/2832-28-0x0000000076CC0000-0x0000000076D8C000-memory.dmp

memory/2832-27-0x0000000076CC1000-0x0000000076CC2000-memory.dmp

memory/2832-29-0x0000000076CC0000-0x0000000076D8C000-memory.dmp

memory/2832-30-0x0000000000460000-0x0000000000BC0000-memory.dmp

memory/2504-31-0x00000000001C0000-0x00000000001C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 01:28

Reported

2024-07-24 01:33

Platform

win10v2004-20240704-en

Max time kernel

135s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\ALNVUA\KBO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Engine.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\Engine.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\ALNVUA\KBO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Engine.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KBO Start = "C:\\Windows\\ALNVUA\\KBO.exe" C:\Windows\ALNVUA\KBO.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini C:\Windows\system32\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Engine.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ALNVUA\KBO.exe C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\ALNVUA\ C:\Windows\ALNVUA\KBO.exe N/A
File created C:\Windows\ALNVUA\KBO.004 C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe N/A
File created C:\Windows\ALNVUA\KBO.001 C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe N/A
File created C:\Windows\ALNVUA\KBO.002 C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe N/A
File created C:\Windows\ALNVUA\AKV.exe C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ALNVUA\KBO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Engine.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1403246978-718555486-3105247137-1000\{4A210D43-2757-4BCC-99EB-D93BA4827808} C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1403246978-718555486-3105247137-1000\{3F5D6E69-9F29-4788-BDE7-41A71F57CB49} C:\Windows\system32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Engine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Engine.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\ALNVUA\KBO.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\ALNVUA\KBO.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\ALNVUA\KBO.exe N/A
N/A N/A C:\Windows\ALNVUA\KBO.exe N/A
N/A N/A C:\Windows\ALNVUA\KBO.exe N/A
N/A N/A C:\Windows\ALNVUA\KBO.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\69becb50f203005745189b9766f9c18d_JaffaCakes118.exe"

C:\Windows\ALNVUA\KBO.exe

"C:\Windows\ALNVUA\KBO.exe"

C:\Users\Admin\AppData\Local\Temp\Engine.exe

"C:\Users\Admin\AppData\Local\Temp\Engine.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Windows\ALNVUA\KBO.exe

MD5 f8530f0dfe90c7c1e20239b0a7643041
SHA1 3e0208ab84b8444a69c8d62ad0b81c4186395802
SHA256 734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4
SHA512 5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

C:\Users\Admin\AppData\Local\Temp\Engine.exe

MD5 0a7088290907a546dcfc6f0f46c76911
SHA1 f771b96088197ed80a69c71f7fd86bbf5a5529c7
SHA256 3034de791af1d7551d95955bce62f46ecd071c0357ceebd3bd75d3e98dc7860a
SHA512 eb6e7aa9e27f814e12f35677de31006421dadbd112a168b89b4b2586c95f566caec14cf7af103c99fccf32a9950004ad490b103624cc7e1f07aadbd63969897d

C:\Windows\ALNVUA\AKV.exe

MD5 cf351b0f765da7abc49fa60b03144301
SHA1 2018df7a0bb13d4d6d9929ad66ab8e033697dd41
SHA256 5ad7008ad4202a29b1a45d55625db3c583216934cbac6aa4c1414f69ed8e6693
SHA512 545757d3040a1afed3680c4629bc078b26295216b88213fe0f7934d559000bb4f54e3f737bc64301b147980118417ed0e5d03e5d0d28770797e8e37e1cf853f5

C:\Windows\ALNVUA\KBO.004

MD5 ac411f814c229d18c9da246ccf791350
SHA1 77a2058af852e5aab4cda426329a081b41e39a53
SHA256 52f676a5ce1c57b7bb7322ccefc1a338afd4082fb6bb8a5a3a9802dd5b262165
SHA512 f0583630bf459d5d536caa94fbdf49ebe3bd4802ebf4e10cf156855b82225f63ea25e1f5e2a836ea5b1f508653065f79cdf89294f1dcc8690e37c66dd419f4f3

memory/4352-27-0x0000000000460000-0x0000000000BC0000-memory.dmp

memory/4028-28-0x0000000000B90000-0x0000000000B91000-memory.dmp

C:\Windows\ALNVUA\KBO.001

MD5 b8cb0e28a65b57b7633a043ffdd0721b
SHA1 4aeaed92614d0a1fd64ae6c1e85a655de4570884
SHA256 678f7579dd4f01bd9837aece3fd6a8634d16e7bcc6583cf7764212fae4170a8b
SHA512 c781b4c4f86f036b4443a8af0072e59f23c54d20e44c1ee068dacd7ac0f7e324192cccb64a158db3000c78994da826e8394587ef8144b83179b5cc531120e2ab

C:\Windows\ALNVUA\KBO.002

MD5 12fb4f589942682a478b7c7881dfcba2
SHA1 a3d490c6cda965708a1ff6a0dc4e88037e0d6336
SHA256 4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d
SHA512 dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

C:\Users\Admin\Videos\Captures\desktop.ini

MD5 b0d27eaec71f1cd73b015f5ceeb15f9d
SHA1 62264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA256 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA512 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

memory/4352-45-0x0000000000460000-0x0000000000BC0000-memory.dmp

memory/4028-46-0x0000000000B90000-0x0000000000B91000-memory.dmp