Malware Analysis Report

2024-10-18 23:06

Sample ID 240724-k1zyqsxhkr
Target 6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118
SHA256 f6a75ea0e317fe5ae60f1d4462b743641a9f2c14c0b23c4cc5f1ff8f4bd7de15
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6a75ea0e317fe5ae60f1d4462b743641a9f2c14c0b23c4cc5f1ff8f4bd7de15

Threat Level: Known bad

The file 6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax main executable

Ardamax

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 09:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 09:04

Reported

2024-07-24 09:07

Platform

win7-20240708-en

Max time kernel

17s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\LQRX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LQRX Agent = "C:\\Windows\\SysWOW64\\28463\\LQRX.exe" C:\Windows\SysWOW64\28463\LQRX.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\LQRX.006 C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\LQRX.007 C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\LQRX.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\LQRX.exe N/A
File created C:\Windows\SysWOW64\28463\LQRX.001 C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\LQRX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637} C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll" C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\ProgID C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\ProgID\ = "SAPI.SpLexicon.1" C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\TypeLib C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\TypeLib\ = "{C866CA3A-32F7-11D2-9602-00C04F8EE628}" C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB01A1E3-A42B-11CF-8F20-00805F2CD064}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\THESTU~1.EXE" C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\The Stumbler.ActiveScript Host C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\ = "SpLexicon Class" C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB01A1E3-A42B-11CF-8F20-00805F2CD064} C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB01A1E3-A42B-11CF-8F20-00805F2CD064}\ C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\The Stumbler.ActiveScript Host\ C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\The Stumbler.ActiveScript Host\Clsid C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\The Stumbler.ActiveScript Host\Clsid\ = "{DB01A1E3-A42B-11CF-8F20-00805F2CD064}" C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\VersionIndependentProgID\ = "SAPI.SpLexicon" C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\Version C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\Version\ = "5.4" C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB01A1E3-A42B-11CF-8F20-00805F2CD064}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB01A1E3-A42B-11CF-8F20-00805F2CD064}\ProgID C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB01A1E3-A42B-11CF-8F20-00805F2CD064}\ProgID\ = "The Stumbler.ActiveScript Host" C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\LQRX.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\LQRX.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\LQRX.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\LQRX.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\LQRX.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 2220 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 2220 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 2220 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 2220 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 2220 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 2220 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 2220 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 2220 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 1724 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Windows\SysWOW64\28463\LQRX.exe
PID 1724 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Windows\SysWOW64\28463\LQRX.exe
PID 1724 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Windows\SysWOW64\28463\LQRX.exe
PID 1724 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Windows\SysWOW64\28463\LQRX.exe
PID 1724 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe
PID 1724 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe
PID 1724 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe
PID 1724 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe"

C:\Windows\SysWOW64\28463\LQRX.exe

"C:\Windows\system32\28463\LQRX.exe"

C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe

"C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pegasus.dreamhost.com udp

Files

memory/2220-1-0x0000000002640000-0x00000000027D8000-memory.dmp

memory/2220-0-0x0000000000400000-0x0000000000598000-memory.dmp

memory/1724-2-0x0000000000400000-0x0000000000598000-memory.dmp

memory/1724-3-0x0000000000437000-0x0000000000438000-memory.dmp

memory/1724-4-0x0000000000310000-0x0000000000352000-memory.dmp

memory/1724-9-0x0000000000400000-0x0000000000598000-memory.dmp

memory/1724-10-0x0000000000400000-0x0000000000598000-memory.dmp

memory/1724-12-0x0000000000310000-0x0000000000352000-memory.dmp

memory/1724-11-0x0000000000400000-0x0000000000598000-memory.dmp

\Users\Admin\AppData\Local\Temp\@A313.tmp

MD5 25530555085337eb644b061f239aa9d4
SHA1 8d91e099aba5439d4bfa8bce464c94e3e1acf620
SHA256 3fb6b438ad1530abdd068bffb303fb8a4de51430e0e18ddb6b1a0469ffab8325
SHA512 b1f9de0c276533a5a7070aeb2b6415cc1c0bdd2baf5e0645c6ac5ba767cab0d76e5b4461800d89724992af2c863294ada3c1eb2e4516183fe2010c33d47d6a2a

\Windows\SysWOW64\28463\LQRX.exe

MD5 97d8ad45f48b4b28a93aab94699b7168
SHA1 8b69b7fd7c008b95d12386f6da415097e72151de
SHA256 661df22a66b2062b233eb0bd9665de924cfe0ac9c6ba29e20ffef24f817f9331
SHA512 3351eac970bab391de410fcf1937da75d2e4722b808f10332f487ddfe469544e32e7d4ed0e5bdc19bd5f472cffcc55ca1498c95945b4e9c4ceff6ff5cc521c8a

C:\Windows\SysWOW64\28463\LQRX.007

MD5 e9fbdcc2f5fb657fa519b3f5c69fc52d
SHA1 c49cca77b46a59d620711de7564d43e5dafcd2b5
SHA256 cc440cfc4ce1a1ff503cc9e8937c59aae64bfce4daa3e7dc757220a25cadc2e4
SHA512 913759967e16b99d8ea66433e5dc99d5ddbf737be6784306e67c2b23a525b7a578fcae1028221d3209abc452ff30508eb750c62113c3868a7af36b544e525fb1

C:\Windows\SysWOW64\28463\LQRX.006

MD5 81e20f4361cf8f5a57812871c24d945e
SHA1 5d7877d6959ab26599b05795a71633f00c37a3da
SHA256 e6e8b4a29dccb3531f58c75b754caf7f26afe3e7043239305fd0ae7ab2f7571d
SHA512 69b1d75ab7123054bf98cf3a0f2cc7a0749cda8d85ebdef85be7d89f1454154ce29070907b934727a6c5276ff430e94810b87a5634d25d8529df9ee36fd20818

C:\Windows\SysWOW64\28463\LQRX.001

MD5 c3d2dcfda51d963544617122124e3060
SHA1 3234ebd05b0285088800b1ef86a0072fe9a88463
SHA256 4e408a8345556ce999f977b12fd2df8e491ba106c8d597937b0d53ed61e01ead
SHA512 2a8a50d2608d424df48cc537ac4a0c4a703bdb26bd4a7d4a03f9e93e23693b6c0886a64c1da533e4d2cb9e5ffc3336224bf75211a8986b2158455494687113c2

C:\Windows\SysWOW64\28463\AKV.exe

MD5 d63cc8679a63448db1c64252e14e4ab5
SHA1 10b3a9ac4bc16e8ac1cd05e50b4d540fa3ef223e
SHA256 29b3646a556879a4a48e4f2f81e09179c34ac2051ed3e4f4c28e293092470d3d
SHA512 cb1911e1a77fb9be560aa4fd8bbef65e181b6d4438d65657501dbcd8dbf488ba01738a7222f35f8d4317e8df8c6f307d9e3623d6e3e45753e138b80fb68ff768

memory/2884-38-0x0000000000400000-0x000000000047B000-memory.dmp

memory/1724-41-0x0000000000310000-0x0000000000352000-memory.dmp

memory/1724-44-0x0000000000310000-0x0000000000352000-memory.dmp

memory/1724-46-0x0000000000400000-0x0000000000598000-memory.dmp

\Users\Admin\AppData\Local\Temp\The Stumbler.exe

MD5 5f38826a4455b0526c233f09ddf128cf
SHA1 5159095b88b590e1c505606519df8310c8b5b553
SHA256 cd1779489e6cf758e816c8a5366cc07bff2c9ec36ad7f87d0c56a8d0579b4dec
SHA512 618311ee08b0b972f761dd98fbccccfab3d70322967c08dbff63868ae5564123153c6fa1447bfd5ad253dc6a09cf6297b10c21ede7eaa99a0705c8e9bb214d66

memory/1724-50-0x00000000034B0000-0x00000000035FF000-memory.dmp

memory/1724-58-0x0000000000310000-0x0000000000352000-memory.dmp

memory/2220-60-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2524-62-0x0000000000400000-0x000000000054F000-memory.dmp

memory/1724-61-0x00000000034B0000-0x00000000035FF000-memory.dmp

memory/2524-72-0x0000000000400000-0x000000000054F000-memory.dmp

memory/2884-73-0x0000000000400000-0x000000000047B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 09:04

Reported

2024-07-24 09:07

Platform

win10v2004-20240709-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\LQRX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LQRX Agent = "C:\\Windows\\SysWOW64\\28463\\LQRX.exe" C:\Windows\SysWOW64\28463\LQRX.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\LQRX.007 C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\LQRX.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\LQRX.exe N/A
File created C:\Windows\SysWOW64\28463\LQRX.001 C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\LQRX.006 C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\LQRX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB01A1E3-A42B-11CF-8F20-00805F2CD064}\ProgID C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB01A1E3-A42B-11CF-8F20-00805F2CD064} C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB01A1E3-A42B-11CF-8F20-00805F2CD064}\ C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB01A1E3-A42B-11CF-8F20-00805F2CD064}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\The Stumbler.ActiveScript Host\Clsid C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\ = "CLSID_ContactUserAccountChangeCallback" C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\The Stumbler.ActiveScript Host\ C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\The Stumbler.ActiveScript Host C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\The Stumbler.ActiveScript Host\Clsid\ = "{DB01A1E3-A42B-11CF-8F20-00805F2CD064}" C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB01A1E3-A42B-11CF-8F20-00805F2CD064}\ProgID\ = "The Stumbler.ActiveScript Host" C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637} C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C182663D-5711-CDF8-4A0A-56374A0A5637}\InprocServer32\ = "%CommonProgramFiles%\\System\\wab32.dll" C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB01A1E3-A42B-11CF-8F20-00805F2CD064}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\THESTU~1.EXE" C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\LQRX.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\LQRX.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\LQRX.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\LQRX.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\LQRX.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 956 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 956 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 956 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 956 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 956 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 956 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 956 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 956 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe
PID 4820 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Windows\SysWOW64\28463\LQRX.exe
PID 4820 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Windows\SysWOW64\28463\LQRX.exe
PID 4820 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Windows\SysWOW64\28463\LQRX.exe
PID 4820 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe
PID 4820 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe
PID 4820 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6b0516bc7fc043ab6ffeaebcff4a2a6e_JaffaCakes118.exe"

C:\Windows\SysWOW64\28463\LQRX.exe

"C:\Windows\system32\28463\LQRX.exe"

C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe

"C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 pegasus.dreamhost.com udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/956-0-0x0000000000400000-0x0000000000598000-memory.dmp

memory/4820-3-0x0000000000400000-0x0000000000598000-memory.dmp

memory/4820-5-0x00000000005A0000-0x00000000005E2000-memory.dmp

memory/4820-9-0x00000000005A0000-0x00000000005E2000-memory.dmp

memory/4820-10-0x0000000000400000-0x0000000000598000-memory.dmp

memory/4820-12-0x00000000005A0000-0x00000000005E2000-memory.dmp

memory/4820-11-0x0000000000400000-0x0000000000598000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\@53B.tmp

MD5 25530555085337eb644b061f239aa9d4
SHA1 8d91e099aba5439d4bfa8bce464c94e3e1acf620
SHA256 3fb6b438ad1530abdd068bffb303fb8a4de51430e0e18ddb6b1a0469ffab8325
SHA512 b1f9de0c276533a5a7070aeb2b6415cc1c0bdd2baf5e0645c6ac5ba767cab0d76e5b4461800d89724992af2c863294ada3c1eb2e4516183fe2010c33d47d6a2a

memory/4820-23-0x00000000005A0000-0x00000000005E2000-memory.dmp

C:\Windows\SysWOW64\28463\LQRX.exe

MD5 97d8ad45f48b4b28a93aab94699b7168
SHA1 8b69b7fd7c008b95d12386f6da415097e72151de
SHA256 661df22a66b2062b233eb0bd9665de924cfe0ac9c6ba29e20ffef24f817f9331
SHA512 3351eac970bab391de410fcf1937da75d2e4722b808f10332f487ddfe469544e32e7d4ed0e5bdc19bd5f472cffcc55ca1498c95945b4e9c4ceff6ff5cc521c8a

C:\Users\Admin\AppData\Local\Temp\The Stumbler.exe

MD5 5f38826a4455b0526c233f09ddf128cf
SHA1 5159095b88b590e1c505606519df8310c8b5b553
SHA256 cd1779489e6cf758e816c8a5366cc07bff2c9ec36ad7f87d0c56a8d0579b4dec
SHA512 618311ee08b0b972f761dd98fbccccfab3d70322967c08dbff63868ae5564123153c6fa1447bfd5ad253dc6a09cf6297b10c21ede7eaa99a0705c8e9bb214d66

memory/3060-48-0x0000000000400000-0x000000000054F000-memory.dmp

memory/956-49-0x0000000000400000-0x0000000000598000-memory.dmp

memory/4820-47-0x00000000005A0000-0x00000000005E2000-memory.dmp

memory/4820-50-0x0000000000400000-0x0000000000598000-memory.dmp

C:\Windows\SysWOW64\28463\LQRX.006

MD5 81e20f4361cf8f5a57812871c24d945e
SHA1 5d7877d6959ab26599b05795a71633f00c37a3da
SHA256 e6e8b4a29dccb3531f58c75b754caf7f26afe3e7043239305fd0ae7ab2f7571d
SHA512 69b1d75ab7123054bf98cf3a0f2cc7a0749cda8d85ebdef85be7d89f1454154ce29070907b934727a6c5276ff430e94810b87a5634d25d8529df9ee36fd20818

C:\Windows\SysWOW64\28463\LQRX.007

MD5 e9fbdcc2f5fb657fa519b3f5c69fc52d
SHA1 c49cca77b46a59d620711de7564d43e5dafcd2b5
SHA256 cc440cfc4ce1a1ff503cc9e8937c59aae64bfce4daa3e7dc757220a25cadc2e4
SHA512 913759967e16b99d8ea66433e5dc99d5ddbf737be6784306e67c2b23a525b7a578fcae1028221d3209abc452ff30508eb750c62113c3868a7af36b544e525fb1

C:\Windows\SysWOW64\28463\LQRX.001

MD5 c3d2dcfda51d963544617122124e3060
SHA1 3234ebd05b0285088800b1ef86a0072fe9a88463
SHA256 4e408a8345556ce999f977b12fd2df8e491ba106c8d597937b0d53ed61e01ead
SHA512 2a8a50d2608d424df48cc537ac4a0c4a703bdb26bd4a7d4a03f9e93e23693b6c0886a64c1da533e4d2cb9e5ffc3336224bf75211a8986b2158455494687113c2

C:\Windows\SysWOW64\28463\AKV.exe

MD5 d63cc8679a63448db1c64252e14e4ab5
SHA1 10b3a9ac4bc16e8ac1cd05e50b4d540fa3ef223e
SHA256 29b3646a556879a4a48e4f2f81e09179c34ac2051ed3e4f4c28e293092470d3d
SHA512 cb1911e1a77fb9be560aa4fd8bbef65e181b6d4438d65657501dbcd8dbf488ba01738a7222f35f8d4317e8df8c6f307d9e3623d6e3e45753e138b80fb68ff768

memory/3060-63-0x0000000000400000-0x000000000054F000-memory.dmp