Malware Analysis Report

2024-10-18 23:06

Sample ID 240724-plergawalq
Target 6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118
SHA256 45741908aba41ce4ff4b0140a1eda218ad305eeba332eff777ea2c3da5c2e593
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45741908aba41ce4ff4b0140a1eda218ad305eeba332eff777ea2c3da5c2e593

Threat Level: Known bad

The file 6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax main executable

Ardamax

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-24 12:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 12:24

Reported

2024-07-24 12:27

Platform

win10v2004-20240709-en

Max time kernel

134s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\TWTI.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TWTI Agent = "C:\\Windows\\SysWOW64\\28463\\TWTI.exe" C:\Windows\SysWOW64\28463\TWTI.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\TWTI.001 C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\TWTI.006 C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\TWTI.007 C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\TWTI.exe C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\TWTI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe"

C:\Windows\SysWOW64\28463\TWTI.exe

"C:\Windows\system32\28463\TWTI.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\@8889.tmp

MD5 cde9827bcff03c6c1f883f693c8c6700
SHA1 c2ce6d6a1dd2e17d8736e779ebe1f6d0383b4f46
SHA256 ba4566adf8b2cd5a6afb6fcb2a43cd80139d1882f71f03ccd4d0eea71fac8252
SHA512 11b901e644a52826c317435dc87872b55a36fa9d477530a030d1f137beb2710544b1f0e2fd23b3f6528f2f71ab55c66d219a87f1d5bc0f6ec0fd5aecd7659bc5

C:\Windows\SysWOW64\28463\TWTI.exe

MD5 4ea1467f05af54ad8c98ee4926aff85c
SHA1 a377d95a18ed943cae552af415647ec6e9861c1e
SHA256 b5a510cf3884c0217cafd5f378ce3eb389bd4e88eea5f662e5c364a6e3fb4476
SHA512 049b8f935e96773f35f67d0ff6de74e6dda04f5add09964500a356184db0c3229943ef5a27df2b1e8098bf693e3016007272e797c37e99a1ebdce0999363963d

C:\Windows\SysWOW64\28463\AKV.exe

MD5 14f8412a6efc0043fdf855f6eff2217f
SHA1 99c8ada8c45b390c44e7daf706705a653914f85f
SHA256 57dad901c66f57147e75656fa5b4df9fd62158b546dc7ceee18767f1ca95e6bc
SHA512 cafbbb42a9b0877f1bcf17a0219d9570bee5878cccbfe2a30f947cff492d3bc089fed34dbf12e410031f9f70decccbaf3464c1e4e71d7d771efa048580bbeb81

C:\Windows\SysWOW64\28463\TWTI.001

MD5 226ee506dfdf089f613d4b6149d88d36
SHA1 0475b9dbf38faa471b8d2a71ff776cd84d130ef5
SHA256 a5d1cbbe29084f4255c03c7e9bd65d0f9d9c89a7bf031ab8adb9d1b09f21048c
SHA512 d4bc34d55735269343dfb21678f8bf9f4a0641b211e5fb8e39b05f1dfff15e1523a50fc175f6205b7bcc675c54a654f089fd844652c681d4ea9fc26aab5015f5

C:\Windows\SysWOW64\28463\TWTI.006

MD5 acfe714319d5092d079a46d20785dab8
SHA1 67c491b9abb9ecffa1c87ce9ec1d516cd5fd9715
SHA256 832732c6ebefed88a2db93f73867ca0d5bd5b2a012ccbcfcf26e22bed6dc4fac
SHA512 895b25109ae1d6b64c6383cd74e8354cda27aa4925c06d7ef90edb748fb7765a07253ce0f69b3d0a13f8c63d1d226df61f50a56fe05569d31a4a5265f4175a8f

C:\Windows\SysWOW64\28463\TWTI.007

MD5 dd462f9742de6d9d95459334538c2b1f
SHA1 8718400320b2aa38ff37dba0fe82062e5d3839bd
SHA256 b172cb7ab44abac00ea09707fe8926aa327e01f22726a887fa0e8eb72cdf1e54
SHA512 bc21d555ade6009250a892ef4b55f8ee96998dfafb3557da1e347297f0dc5f0e53e635f4b5d53261cccc46629adabd208fbc7a53fb826ff1606c47eb57e4537c

memory/1484-23-0x0000000000640000-0x0000000000641000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 12:24

Reported

2024-07-24 12:27

Platform

win7-20240708-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\TWTI.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TWTI Agent = "C:\\Windows\\SysWOW64\\28463\\TWTI.exe" C:\Windows\SysWOW64\28463\TWTI.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\TWTI.001 C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\TWTI.006 C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\TWTI.007 C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\28463\TWTI.exe C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\TWTI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6b84c6ae8724d9ab87154aa07293da4e_JaffaCakes118.exe"

C:\Windows\SysWOW64\28463\TWTI.exe

"C:\Windows\system32\28463\TWTI.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\@B7CB.tmp

MD5 cde9827bcff03c6c1f883f693c8c6700
SHA1 c2ce6d6a1dd2e17d8736e779ebe1f6d0383b4f46
SHA256 ba4566adf8b2cd5a6afb6fcb2a43cd80139d1882f71f03ccd4d0eea71fac8252
SHA512 11b901e644a52826c317435dc87872b55a36fa9d477530a030d1f137beb2710544b1f0e2fd23b3f6528f2f71ab55c66d219a87f1d5bc0f6ec0fd5aecd7659bc5

\Windows\SysWOW64\28463\TWTI.exe

MD5 4ea1467f05af54ad8c98ee4926aff85c
SHA1 a377d95a18ed943cae552af415647ec6e9861c1e
SHA256 b5a510cf3884c0217cafd5f378ce3eb389bd4e88eea5f662e5c364a6e3fb4476
SHA512 049b8f935e96773f35f67d0ff6de74e6dda04f5add09964500a356184db0c3229943ef5a27df2b1e8098bf693e3016007272e797c37e99a1ebdce0999363963d

memory/2540-21-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Windows\SysWOW64\28463\TWTI.007

MD5 dd462f9742de6d9d95459334538c2b1f
SHA1 8718400320b2aa38ff37dba0fe82062e5d3839bd
SHA256 b172cb7ab44abac00ea09707fe8926aa327e01f22726a887fa0e8eb72cdf1e54
SHA512 bc21d555ade6009250a892ef4b55f8ee96998dfafb3557da1e347297f0dc5f0e53e635f4b5d53261cccc46629adabd208fbc7a53fb826ff1606c47eb57e4537c

C:\Windows\SysWOW64\28463\TWTI.006

MD5 acfe714319d5092d079a46d20785dab8
SHA1 67c491b9abb9ecffa1c87ce9ec1d516cd5fd9715
SHA256 832732c6ebefed88a2db93f73867ca0d5bd5b2a012ccbcfcf26e22bed6dc4fac
SHA512 895b25109ae1d6b64c6383cd74e8354cda27aa4925c06d7ef90edb748fb7765a07253ce0f69b3d0a13f8c63d1d226df61f50a56fe05569d31a4a5265f4175a8f

C:\Windows\SysWOW64\28463\TWTI.001

MD5 226ee506dfdf089f613d4b6149d88d36
SHA1 0475b9dbf38faa471b8d2a71ff776cd84d130ef5
SHA256 a5d1cbbe29084f4255c03c7e9bd65d0f9d9c89a7bf031ab8adb9d1b09f21048c
SHA512 d4bc34d55735269343dfb21678f8bf9f4a0641b211e5fb8e39b05f1dfff15e1523a50fc175f6205b7bcc675c54a654f089fd844652c681d4ea9fc26aab5015f5

C:\Windows\SysWOW64\28463\AKV.exe

MD5 14f8412a6efc0043fdf855f6eff2217f
SHA1 99c8ada8c45b390c44e7daf706705a653914f85f
SHA256 57dad901c66f57147e75656fa5b4df9fd62158b546dc7ceee18767f1ca95e6bc
SHA512 cafbbb42a9b0877f1bcf17a0219d9570bee5878cccbfe2a30f947cff492d3bc089fed34dbf12e410031f9f70decccbaf3464c1e4e71d7d771efa048580bbeb81