Malware Analysis Report

2024-10-18 23:06

Sample ID 240724-d2ewmayfqg
Target 6a144d698d7fe572baa503e675a310ee_JaffaCakes118
SHA256 d0ad72b75c5be7d5b36793aadb5687f28b0c3343611191455174a2679ab07508
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0ad72b75c5be7d5b36793aadb5687f28b0c3343611191455174a2679ab07508

Threat Level: Known bad

The file 6a144d698d7fe572baa503e675a310ee_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 03:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 03:29

Reported

2024-07-24 03:32

Platform

win7-20240704-en

Max time kernel

17s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QDSW Agent = "C:\\Windows\\SysWOW64\\28463\\QDSW.exe" C:\Windows\SysWOW64\28463\QDSW.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\QDSW.001 C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\QDSW.006 C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\QDSW.007 C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\QDSW.exe C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\QDSW.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\QDSW.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe"

C:\Windows\SysWOW64\28463\QDSW.exe

"C:\Windows\system32\28463\QDSW.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\@1CC4.tmp

MD5 9dc64557fcebd521ca4b267da15c2914
SHA1 c2247f9e0f0c8d11c7b9ab93f43ed53943d0bdd2
SHA256 a49cb9cbab2a60418b2079d4110123682fc980bb6b46ac5ada144797b5fa2cf4
SHA512 00241a139ca307c5eb4d89fa8b6296833961091286282c3482746e4a3589ef61e6d007edb6aa6fa1ef812d57bf63a8e495e0db712e17decc77bbae2490cdbe01

\Windows\SysWOW64\28463\QDSW.exe

MD5 324154483b20e6f67a3c1486e3fc7c6a
SHA1 d6630eb1d8555b48413434b4a5d54c8de819cbf8
SHA256 ded1c934280294375d7b926773511e4d5e6c8dbb22b0dd25a80a6b0b3af065d3
SHA512 36349f7c53b9989eac63e8c91b7fb009a5a0dce934242ae5956a5e3d3764949a87296adeba81f3da96b5e035f3755b4dd75de2ffa211b7db296313c52f6d478b

C:\Windows\SysWOW64\28463\QDSW.007

MD5 b73942c11844487ca7fc3e78062c8abb
SHA1 28f4c4159528ccbe9d83b5cd5e157861d11ff04c
SHA256 4ba88f8964ee02a395d88974fd43b05610cf520b4ab40f36b3f98715ce1e0984
SHA512 d4c782f5abd91b3396b243345f968eb5a705a7aefeedf92e62047309f7ccf223c0825623c184de66e3667c22eb371f0329be97ea70f6d72b54f98b22042e1f9c

C:\Windows\SysWOW64\28463\QDSW.006

MD5 86d96c93965255cef35ca42413188b75
SHA1 9d77f203267febe047d049584e5c79f1c1801b2d
SHA256 b796bd1f5cdb1d1db91c3aca1ac700c015775b9caf2725fbf4b6089a096f21c5
SHA512 2db81080a16494ec549f4f39ee382580ba12cd5cbfe31632c8459ba94d767ce1ad3e9c0e6643f80530ae5e316fc42dca05708eeade7ce3c0341d669325cdb095

C:\Windows\SysWOW64\28463\QDSW.001

MD5 ba19c6600947ba2eaa8be468874759c6
SHA1 93896c1d50c6a8f24885d7305619ddafa15b6edc
SHA256 ea0f160eb7ef2f5822cc6e9107a299187a85ed693e344dae49a7277cd5535b95
SHA512 9ce81d2197d33cdaee2e97fba84d631ab49029662450a2569c88562823f8a4e385d14a174209c2426ccd0937a8a72001322d8a1365dcb3f3631198cb94f31985

C:\Windows\SysWOW64\28463\AKV.exe

MD5 10e53b4b4502bab5358837983b15d83e
SHA1 2845bb0d6667be127bab7676b6800994239850ce
SHA256 e91b458384ad38f5e81766bc7ae213025f27f30c69b72550731159aa60d62910
SHA512 35b2071598af5840ed0843e39f81b778660310725975c2b2cc8cd20ad37954bea04c4a2f173cdaffa467e9585b7f573b99fd444f659d11360bd7a8219c851cd7

memory/840-24-0x0000000000400000-0x000000000047B000-memory.dmp

memory/2676-28-0x000000007796F000-0x0000000077970000-memory.dmp

memory/1996-30-0x0000000002710000-0x0000000002712000-memory.dmp

memory/2676-31-0x00000000003B0000-0x00000000003B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Paty1.jpg

MD5 c25f7d4a177e79c7dc0050e142afa9c7
SHA1 11c8df2d1c0780627b2a1279e5c75a939f6b8cde
SHA256 3a3cf4ddf2d92b6fb155002fa92a1be3699e5154ac84b545976fb7be85554b1c
SHA512 1a16272d41afdf1bd0259160649331e14cb3c8bd8c9fd2fc7d2449343d49fca58886d6bc0c6a4ee419c802cf0fc3651917a923ea464c6aebf79afd260bbcc883

memory/840-35-0x0000000000400000-0x000000000047B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 03:29

Reported

2024-07-24 03:32

Platform

win10v2004-20240704-en

Max time kernel

134s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QDSW Agent = "C:\\Windows\\SysWOW64\\28463\\QDSW.exe" C:\Windows\SysWOW64\28463\QDSW.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\QDSW.exe N/A
File created C:\Windows\SysWOW64\28463\QDSW.001 C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\QDSW.006 C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\QDSW.007 C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\QDSW.exe C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\QDSW.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\QDSW.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6a144d698d7fe572baa503e675a310ee_JaffaCakes118.exe"

C:\Windows\SysWOW64\28463\QDSW.exe

"C:\Windows\system32\28463\QDSW.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\@9693.tmp

MD5 9dc64557fcebd521ca4b267da15c2914
SHA1 c2247f9e0f0c8d11c7b9ab93f43ed53943d0bdd2
SHA256 a49cb9cbab2a60418b2079d4110123682fc980bb6b46ac5ada144797b5fa2cf4
SHA512 00241a139ca307c5eb4d89fa8b6296833961091286282c3482746e4a3589ef61e6d007edb6aa6fa1ef812d57bf63a8e495e0db712e17decc77bbae2490cdbe01

C:\Windows\SysWOW64\28463\QDSW.exe

MD5 324154483b20e6f67a3c1486e3fc7c6a
SHA1 d6630eb1d8555b48413434b4a5d54c8de819cbf8
SHA256 ded1c934280294375d7b926773511e4d5e6c8dbb22b0dd25a80a6b0b3af065d3
SHA512 36349f7c53b9989eac63e8c91b7fb009a5a0dce934242ae5956a5e3d3764949a87296adeba81f3da96b5e035f3755b4dd75de2ffa211b7db296313c52f6d478b

C:\Windows\SysWOW64\28463\QDSW.007

MD5 b73942c11844487ca7fc3e78062c8abb
SHA1 28f4c4159528ccbe9d83b5cd5e157861d11ff04c
SHA256 4ba88f8964ee02a395d88974fd43b05610cf520b4ab40f36b3f98715ce1e0984
SHA512 d4c782f5abd91b3396b243345f968eb5a705a7aefeedf92e62047309f7ccf223c0825623c184de66e3667c22eb371f0329be97ea70f6d72b54f98b22042e1f9c

C:\Windows\SysWOW64\28463\QDSW.006

MD5 86d96c93965255cef35ca42413188b75
SHA1 9d77f203267febe047d049584e5c79f1c1801b2d
SHA256 b796bd1f5cdb1d1db91c3aca1ac700c015775b9caf2725fbf4b6089a096f21c5
SHA512 2db81080a16494ec549f4f39ee382580ba12cd5cbfe31632c8459ba94d767ce1ad3e9c0e6643f80530ae5e316fc42dca05708eeade7ce3c0341d669325cdb095

C:\Windows\SysWOW64\28463\QDSW.001

MD5 ba19c6600947ba2eaa8be468874759c6
SHA1 93896c1d50c6a8f24885d7305619ddafa15b6edc
SHA256 ea0f160eb7ef2f5822cc6e9107a299187a85ed693e344dae49a7277cd5535b95
SHA512 9ce81d2197d33cdaee2e97fba84d631ab49029662450a2569c88562823f8a4e385d14a174209c2426ccd0937a8a72001322d8a1365dcb3f3631198cb94f31985

C:\Windows\SysWOW64\28463\AKV.exe

MD5 10e53b4b4502bab5358837983b15d83e
SHA1 2845bb0d6667be127bab7676b6800994239850ce
SHA256 e91b458384ad38f5e81766bc7ae213025f27f30c69b72550731159aa60d62910
SHA512 35b2071598af5840ed0843e39f81b778660310725975c2b2cc8cd20ad37954bea04c4a2f173cdaffa467e9585b7f573b99fd444f659d11360bd7a8219c851cd7

memory/1336-24-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/1336-28-0x0000000000A70000-0x0000000000A71000-memory.dmp