Malware Analysis Report

2024-10-18 23:06

Sample ID 240724-cbhddsvcjf
Target 69d203dbc642d29ba220968ff624ec0a_JaffaCakes118
SHA256 7103ee77df2485fd88694c961f1437d7232fcb838999b3ac63372c704701dbd8
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7103ee77df2485fd88694c961f1437d7232fcb838999b3ac63372c704701dbd8

Threat Level: Known bad

The file 69d203dbc642d29ba220968ff624ec0a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 01:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 01:53

Reported

2024-07-24 01:59

Platform

win10v2004-20240709-en

Max time kernel

131s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LCS Start = "C:\\Windows\\SysWOW64\\WVBBLE\\LCS.exe" C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WVBBLE\AKV.exe C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WVBBLE\LCS.exe C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WVBBLE\ C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A
File created C:\Windows\SysWOW64\WVBBLE\LCS.004 C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WVBBLE\LCS.001 C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WVBBLE\LCS.002 C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A
N/A N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A
N/A N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A
N/A N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe"

C:\Windows\SysWOW64\WVBBLE\LCS.exe

"C:\Windows\system32\WVBBLE\LCS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\WVBBLE\LCS.exe

MD5 9c28244f2dbe3a4758b532838b0040c9
SHA1 4b58bb4033d43ae64af6c18db48d5d25e23f6121
SHA256 cb770745d547a27a4b99fdbe27a672135f812b29d94fd2b843d06bb5aa1748aa
SHA512 24ed3d4c6aae307a0f1bb1f063b211152644b06d7425a5fe24b09f5f747dd63011451cef3f47cc4985b3316cf1213c056d38768ccb7f44cb2fab28cf4e30e969

C:\Windows\SysWOW64\WVBBLE\LCS.002

MD5 4c30b3e90b3da5619bc0d5f53c025135
SHA1 829f487b7c26f6cb8b7f211b2331abbc5229aa61
SHA256 b632cedab7ce3d19eebc0d31864dc8c38cd249dcbde299cda818f7026ec294cf
SHA512 fd0b36fb43c6b62f6d47455b392276d4e3710b204ef11c70cefed417740a4b5d9357ba37f612f3f87d539175af312ead05bc7a4360fe3e26fd43c56e856e6313

C:\Windows\SysWOW64\WVBBLE\LCS.001

MD5 9fca42b7fa3132ded471b886c4bf8a51
SHA1 86109ac13f8b63bd3467bbf05e39c5cf9bd11d26
SHA256 c519bcfc50245700b30cb417478b46810443b03a6447387dd1d0a13966ff00dd
SHA512 bbdd590e1bd2971fbc6a462f6501341c0808d658ba3407b051f9d299d9babf0632af092d64c6ad290d4ae5d9db8c367898a064bbea916c516c0a54066ad698ab

C:\Windows\SysWOW64\WVBBLE\LCS.004

MD5 8003974b10e9eac821443540f943f0df
SHA1 bdea90fb7b7b0ade55ecbb2a82c4f3b468ae6cee
SHA256 0154568cf48711bce2d3bc0308426aebd877dc7dde49d82dad4604e064d76935
SHA512 781ebe42118762c0705ed08100bbed687f6ca7e23bdff37b1b85b9fb46bac7bfe80f5ae289e9afcccd82417b8d71c5e9af224658f401fb8b98e7d6195e29b8a3

C:\Windows\SysWOW64\WVBBLE\AKV.exe

MD5 7e335c1258740a5798c2b3eea5a97229
SHA1 6ce1e98ddc05a4b9e772901c9bc6caae4103267f
SHA256 667ab5d791b89216a46f7dd3a1bcb9b7e5f235415a74a9678ca41cec051c462f
SHA512 8c190dd139f5459a91c81871f53fc080a81c6397c68cb5b0ee195571012cc8af923b10cd77301da1816f935d36a0587d1c75126f5553005a0f50eb22d3441cb4

memory/4204-16-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/4204-18-0x0000000000B40000-0x0000000000B41000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 01:53

Reported

2024-07-24 01:59

Platform

win7-20240704-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LCS Start = "C:\\Windows\\SysWOW64\\WVBBLE\\LCS.exe" C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WVBBLE\AKV.exe C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WVBBLE\LCS.exe C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WVBBLE\ C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A
File created C:\Windows\SysWOW64\WVBBLE\LCS.004 C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WVBBLE\LCS.001 C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WVBBLE\LCS.002 C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A
N/A N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A
N/A N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A
N/A N/A C:\Windows\SysWOW64\WVBBLE\LCS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\69d203dbc642d29ba220968ff624ec0a_JaffaCakes118.exe"

C:\Windows\SysWOW64\WVBBLE\LCS.exe

"C:\Windows\system32\WVBBLE\LCS.exe"

Network

N/A

Files

\Windows\SysWOW64\WVBBLE\LCS.exe

MD5 9c28244f2dbe3a4758b532838b0040c9
SHA1 4b58bb4033d43ae64af6c18db48d5d25e23f6121
SHA256 cb770745d547a27a4b99fdbe27a672135f812b29d94fd2b843d06bb5aa1748aa
SHA512 24ed3d4c6aae307a0f1bb1f063b211152644b06d7425a5fe24b09f5f747dd63011451cef3f47cc4985b3316cf1213c056d38768ccb7f44cb2fab28cf4e30e969

C:\Windows\SysWOW64\WVBBLE\AKV.exe

MD5 7e335c1258740a5798c2b3eea5a97229
SHA1 6ce1e98ddc05a4b9e772901c9bc6caae4103267f
SHA256 667ab5d791b89216a46f7dd3a1bcb9b7e5f235415a74a9678ca41cec051c462f
SHA512 8c190dd139f5459a91c81871f53fc080a81c6397c68cb5b0ee195571012cc8af923b10cd77301da1816f935d36a0587d1c75126f5553005a0f50eb22d3441cb4

C:\Windows\SysWOW64\WVBBLE\LCS.001

MD5 9fca42b7fa3132ded471b886c4bf8a51
SHA1 86109ac13f8b63bd3467bbf05e39c5cf9bd11d26
SHA256 c519bcfc50245700b30cb417478b46810443b03a6447387dd1d0a13966ff00dd
SHA512 bbdd590e1bd2971fbc6a462f6501341c0808d658ba3407b051f9d299d9babf0632af092d64c6ad290d4ae5d9db8c367898a064bbea916c516c0a54066ad698ab

C:\Windows\SysWOW64\WVBBLE\LCS.004

MD5 8003974b10e9eac821443540f943f0df
SHA1 bdea90fb7b7b0ade55ecbb2a82c4f3b468ae6cee
SHA256 0154568cf48711bce2d3bc0308426aebd877dc7dde49d82dad4604e064d76935
SHA512 781ebe42118762c0705ed08100bbed687f6ca7e23bdff37b1b85b9fb46bac7bfe80f5ae289e9afcccd82417b8d71c5e9af224658f401fb8b98e7d6195e29b8a3

C:\Windows\SysWOW64\WVBBLE\LCS.002

MD5 4c30b3e90b3da5619bc0d5f53c025135
SHA1 829f487b7c26f6cb8b7f211b2331abbc5229aa61
SHA256 b632cedab7ce3d19eebc0d31864dc8c38cd249dcbde299cda818f7026ec294cf
SHA512 fd0b36fb43c6b62f6d47455b392276d4e3710b204ef11c70cefed417740a4b5d9357ba37f612f3f87d539175af312ead05bc7a4360fe3e26fd43c56e856e6313

memory/2112-15-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2112-17-0x00000000002B0000-0x00000000002B1000-memory.dmp