Malware Analysis Report

2024-10-18 23:06

Sample ID 240725-abnt3avgkq
Target 6d57f66cedb5869f3159e171565eda65_JaffaCakes118
SHA256 82261a50af6324158cfc405c08b56289d10272d01c7be888f7a6870807861bfb
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82261a50af6324158cfc405c08b56289d10272d01c7be888f7a6870807861bfb

Threat Level: Known bad

The file 6d57f66cedb5869f3159e171565eda65_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax main executable

Ardamax

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-25 00:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 00:02

Reported

2024-07-25 00:08

Platform

win7-20240708-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCG Start = "C:\\Windows\\SysWOW64\\CHUOMY\\PCG.exe" C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\CHUOMY\PCG.002 C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\CHUOMY\AKV.exe C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\CHUOMY\PCG.exe C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\CHUOMY\ C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A
File created C:\Windows\SysWOW64\CHUOMY\PCG.004 C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\CHUOMY\PCG.001 C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A
N/A N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A
N/A N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A
N/A N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe"

C:\Windows\SysWOW64\CHUOMY\PCG.exe

"C:\Windows\system32\CHUOMY\PCG.exe"

Network

N/A

Files

\Windows\SysWOW64\CHUOMY\PCG.exe

MD5 a9ea3f61a57b36cde9953afd91f18d34
SHA1 e7e931b96b6e39b64a2a38d704bbe9561a234cbc
SHA256 accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec
SHA512 0a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc

C:\Windows\SysWOW64\CHUOMY\PCG.004

MD5 517f05787f5fc650478b4b6732fd8d4b
SHA1 712dc4b2471a1d5023338c3dab40d6f136b98eb0
SHA256 7abe7d9b8f0861bb09f55d7e937a710c131368b4716ee9d95e30adf44e71415e
SHA512 68c5d02613ef1e13c0dc9210d9ee5a2db0f56e9a6faaf16992ec844f154ae25f72c5858f8520b06995fefbb6fabc35dcbf8296cd39cd4fdb6e5327d7a48873c1

C:\Windows\SysWOW64\CHUOMY\PCG.002

MD5 b2bcd668abf17ee408d232cc636614b2
SHA1 c354f941121515536c4f0d9ae49ed1a9b28534b4
SHA256 563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99
SHA512 ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702

C:\Windows\SysWOW64\CHUOMY\PCG.001

MD5 7a5612cc859be918c5767487f8a6815a
SHA1 a855d3a3e6336ac0508a8099e8ace14680394c36
SHA256 643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1
SHA512 31c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d

C:\Windows\SysWOW64\CHUOMY\AKV.exe

MD5 4c5711d8a02899113661bdff195d80d5
SHA1 263592abea6d60887defb4b1bcb47dbb383edfb6
SHA256 661eee852ace18c0fe63548e3ca276866b40dd0dce722f67976b8c4bfdb92195
SHA512 4b16ee6c75a169ad02c6b30d08efcd969ba8840adf49f6eeec3abbe8b9f5f288e1b1cfb4431711a74510a6973663335e43d256ae0dcd1a68f55331152a4f64ae

memory/2692-15-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2692-17-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 00:02

Reported

2024-07-25 00:09

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCG Start = "C:\\Windows\\SysWOW64\\CHUOMY\\PCG.exe" C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\CHUOMY\PCG.004 C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\CHUOMY\PCG.001 C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\CHUOMY\PCG.002 C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\CHUOMY\AKV.exe C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\CHUOMY\PCG.exe C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\CHUOMY\ C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A
N/A N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A
N/A N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A
N/A N/A C:\Windows\SysWOW64\CHUOMY\PCG.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6d57f66cedb5869f3159e171565eda65_JaffaCakes118.exe"

C:\Windows\SysWOW64\CHUOMY\PCG.exe

"C:\Windows\system32\CHUOMY\PCG.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\CHUOMY\PCG.exe

MD5 a9ea3f61a57b36cde9953afd91f18d34
SHA1 e7e931b96b6e39b64a2a38d704bbe9561a234cbc
SHA256 accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec
SHA512 0a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc

C:\Windows\SysWOW64\CHUOMY\PCG.004

MD5 517f05787f5fc650478b4b6732fd8d4b
SHA1 712dc4b2471a1d5023338c3dab40d6f136b98eb0
SHA256 7abe7d9b8f0861bb09f55d7e937a710c131368b4716ee9d95e30adf44e71415e
SHA512 68c5d02613ef1e13c0dc9210d9ee5a2db0f56e9a6faaf16992ec844f154ae25f72c5858f8520b06995fefbb6fabc35dcbf8296cd39cd4fdb6e5327d7a48873c1

C:\Windows\SysWOW64\CHUOMY\AKV.exe

MD5 4c5711d8a02899113661bdff195d80d5
SHA1 263592abea6d60887defb4b1bcb47dbb383edfb6
SHA256 661eee852ace18c0fe63548e3ca276866b40dd0dce722f67976b8c4bfdb92195
SHA512 4b16ee6c75a169ad02c6b30d08efcd969ba8840adf49f6eeec3abbe8b9f5f288e1b1cfb4431711a74510a6973663335e43d256ae0dcd1a68f55331152a4f64ae

memory/2368-16-0x0000000000B40000-0x0000000000B41000-memory.dmp

C:\Windows\SysWOW64\CHUOMY\PCG.002

MD5 b2bcd668abf17ee408d232cc636614b2
SHA1 c354f941121515536c4f0d9ae49ed1a9b28534b4
SHA256 563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99
SHA512 ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702

C:\Windows\SysWOW64\CHUOMY\PCG.001

MD5 7a5612cc859be918c5767487f8a6815a
SHA1 a855d3a3e6336ac0508a8099e8ace14680394c36
SHA256 643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1
SHA512 31c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d

memory/2368-18-0x0000000000B40000-0x0000000000B41000-memory.dmp