Malware Analysis Report

2024-10-18 23:05

Sample ID 240724-kbp28szbrh
Target 6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118
SHA256 40004b4b20a09ce25c1bd42397ff82e619e8f41a584178da1eb844020b074da9
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40004b4b20a09ce25c1bd42397ff82e619e8f41a584178da1eb844020b074da9

Threat Level: Known bad

The file 6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax main executable

Ardamax

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 08:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 08:25

Reported

2024-07-24 08:28

Platform

win7-20240708-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YGT Start = "C:\\Windows\\SysWOW64\\AIGAQW\\YGT.exe" C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\AIGAQW\YGT.001 C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\AIGAQW\YGT.002 C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\AIGAQW\AKV.exe C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\AIGAQW\YGT.exe C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\AIGAQW\ C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A
File created C:\Windows\SysWOW64\AIGAQW\YGT.004 C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A
N/A N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A
N/A N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A
N/A N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe"

C:\Windows\SysWOW64\AIGAQW\YGT.exe

"C:\Windows\system32\AIGAQW\YGT.exe"

Network

N/A

Files

\Windows\SysWOW64\AIGAQW\YGT.exe

MD5 f8530f0dfe90c7c1e20239b0a7643041
SHA1 3e0208ab84b8444a69c8d62ad0b81c4186395802
SHA256 734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4
SHA512 5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

memory/3028-15-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Windows\SysWOW64\AIGAQW\YGT.004

MD5 7e521f925d13854baf5c6afc4c11924c
SHA1 80ceab5b17efd2893373fe9656ea132b03c4a0d8
SHA256 83707de34316061a820bc03a2c84cac320a682d0850e5c7953dc0ed867f1ffc2
SHA512 477cf0db10be7538b82bfd2343174505531723dc3ff7e2071a4c0494aaed976c1bc4c7ba627f483366f907fe77a03aec352d947ccfb4841ea768778e16e6aa93

C:\Windows\SysWOW64\AIGAQW\YGT.002

MD5 12fb4f589942682a478b7c7881dfcba2
SHA1 a3d490c6cda965708a1ff6a0dc4e88037e0d6336
SHA256 4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d
SHA512 dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

C:\Windows\SysWOW64\AIGAQW\YGT.001

MD5 425ff37c76030ca0eb60321eedd4afdd
SHA1 7dde5e9ce5c4057d3db149f323fa43ed29d90e09
SHA256 70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24
SHA512 ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

C:\Windows\SysWOW64\AIGAQW\AKV.exe

MD5 eb916da4abe4ff314662089013c8f832
SHA1 1e7e611cc6922a2851bcf135806ab51cdb499efa
SHA256 96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061
SHA512 d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

memory/3028-17-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 08:25

Reported

2024-07-24 08:28

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YGT Start = "C:\\Windows\\SysWOW64\\AIGAQW\\YGT.exe" C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\AIGAQW\YGT.004 C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\AIGAQW\YGT.001 C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\AIGAQW\YGT.002 C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\AIGAQW\AKV.exe C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\AIGAQW\YGT.exe C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\AIGAQW\ C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A
N/A N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A
N/A N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A
N/A N/A C:\Windows\SysWOW64\AIGAQW\YGT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6aea009b79bacbc0cb0ff4bde62c9c7c_JaffaCakes118.exe"

C:\Windows\SysWOW64\AIGAQW\YGT.exe

"C:\Windows\system32\AIGAQW\YGT.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\AIGAQW\YGT.exe

MD5 f8530f0dfe90c7c1e20239b0a7643041
SHA1 3e0208ab84b8444a69c8d62ad0b81c4186395802
SHA256 734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4
SHA512 5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

C:\Windows\SysWOW64\AIGAQW\AKV.exe

MD5 eb916da4abe4ff314662089013c8f832
SHA1 1e7e611cc6922a2851bcf135806ab51cdb499efa
SHA256 96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061
SHA512 d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

C:\Windows\SysWOW64\AIGAQW\YGT.004

MD5 7e521f925d13854baf5c6afc4c11924c
SHA1 80ceab5b17efd2893373fe9656ea132b03c4a0d8
SHA256 83707de34316061a820bc03a2c84cac320a682d0850e5c7953dc0ed867f1ffc2
SHA512 477cf0db10be7538b82bfd2343174505531723dc3ff7e2071a4c0494aaed976c1bc4c7ba627f483366f907fe77a03aec352d947ccfb4841ea768778e16e6aa93

memory/916-16-0x0000000002330000-0x0000000002331000-memory.dmp

C:\Windows\SysWOW64\AIGAQW\YGT.002

MD5 12fb4f589942682a478b7c7881dfcba2
SHA1 a3d490c6cda965708a1ff6a0dc4e88037e0d6336
SHA256 4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d
SHA512 dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

C:\Windows\SysWOW64\AIGAQW\YGT.001

MD5 425ff37c76030ca0eb60321eedd4afdd
SHA1 7dde5e9ce5c4057d3db149f323fa43ed29d90e09
SHA256 70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24
SHA512 ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

memory/916-18-0x0000000002330000-0x0000000002331000-memory.dmp